@spacebar_ai/moldclaw-core 2026.3.41 → 2026.3.44
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/accounts-5qY-dKca.d.ts +103 -0
- package/dist/accounts-SqdHz2ZP.js +114 -0
- package/dist/acp-cli-E6bcNqiE.js +2093 -0
- package/dist/actions.runtime-BU_XMuLk.js +119 -0
- package/dist/actions.runtime-CY5h8lqH.js +133 -0
- package/dist/agent-scope-lZlwP1At.js +208 -0
- package/dist/agents-C4SkadR1.js +853 -0
- package/dist/agents-RfwqGCzE.js +222 -0
- package/dist/agents.config-CX9CPNfP.js +17 -0
- package/dist/agents.config-DF9Zwn9n.js +121 -0
- package/dist/allow-list-3WSjz1zl.js +81 -0
- package/dist/allowlist-DNbDjFjw.js +142 -0
- package/dist/api-BEOpJ7dR.js +117 -0
- package/dist/audit-CpJz_eu6.js +787 -0
- package/dist/audit-CpfSjvyo.js +54 -0
- package/dist/audit-channel.collect.runtime-BeGotloZ.js +605 -0
- package/dist/audit-channel.runtime-BJDZ7ETt.js +121 -0
- package/dist/audit-extra.async-C2G0mqmk.js +813 -0
- package/dist/audit-membership-runtime-B1FqJsPV.js +162 -0
- package/dist/audit.deep.runtime-DyL9O_sU.js +25 -0
- package/dist/audit.nondeep.runtime-C6jFgJfH.js +832 -0
- package/dist/audit.runtime-Dnlsn23e.js +118 -0
- package/dist/auth-Ch3Rchm4.js +101 -0
- package/dist/auth-choice-CEFSlnLT.js +122 -0
- package/dist/auth-choice-CVCef-eU.js +268 -0
- package/dist/auth-choice-Cez-pXrg.js +507 -0
- package/dist/auth-choice-options-DO78mvPe.js +123 -0
- package/dist/auth-choice-prompt-CUkC7Mmb.js +36 -0
- package/dist/auth-choice-prompt-DCuQRiVl.js +115 -0
- package/dist/auth-choice.apply-helpers-BhbNIV8X.js +66 -0
- package/dist/auth-choice.plugin-providers.runtime-4BhqvEw_.js +119 -0
- package/dist/auth-profiles-smABVXzp.js +128040 -0
- package/dist/auth-profiles.runtime-Cr-ojtTc.js +116 -0
- package/dist/banner-CojBHPWr.js +342 -0
- package/dist/bluebubbles-BnLsj2Fy.d.ts +6 -0
- package/dist/bluebubbles-CVk7M3Bl.js +64 -0
- package/dist/bot-DdyrB2z9.d.ts +478 -0
- package/dist/brave-w4Fo8WZ3.js +24 -0
- package/dist/browser-cli-DWFs3P_i.js +1494 -0
- package/dist/build-info.json +3 -3
- package/dist/bundled/boot-md/handler.d.ts +1 -1
- package/dist/bundled/boot-md/handler.js +35 -35
- package/dist/bundled/bootstrap-extra-files/handler.d.ts +1 -1
- package/dist/bundled/bootstrap-extra-files/handler.js +1 -1
- package/dist/bundled/command-logger/handler.d.ts +1 -1
- package/dist/bundled/session-memory/handler.d.ts +1 -1
- package/dist/bundled/session-memory/handler.js +36 -36
- package/dist/call-Do7wTSr7.js +39 -0
- package/dist/call-gdDAt07d.js +640 -0
- package/dist/canvas-host/a2ui/.bundle.hash +1 -1
- package/dist/channel-B26pkce0.js +214 -0
- package/dist/channel-BJHp0AQC.js +352 -0
- package/dist/channel-BKFOv51P.js +4681 -0
- package/dist/channel-BNgpOY8v.js +538 -0
- package/dist/channel-BcQAAo2P.js +226 -0
- package/dist/channel-BvNdnhbx.js +1598 -0
- package/dist/channel-C1Rda3Jd.js +306 -0
- package/dist/channel-C87DG-F7.js +803 -0
- package/dist/channel-CIip0kvZ.js +619 -0
- package/dist/channel-CTPxoT_E2.js +316 -0
- package/dist/channel-CklaCzUG.js +562 -0
- package/dist/channel-CoJnAdLs.js +920 -0
- package/dist/channel-D3tafL1_.js +949 -0
- package/dist/channel-DFMrP2uu.js +542 -0
- package/dist/channel-DMd5cJQe.js +397 -0
- package/dist/channel-Dm34kxAJ.js +207 -0
- package/dist/channel-DmwF9udn.js +1321 -0
- package/dist/channel-account-context-Bjur9nlh.js +103 -0
- package/dist/channel-bGnST659.js +943 -0
- package/dist/channel-hIgbkTZf.js +575 -0
- package/dist/channel-m_TGrDKo.js +497 -0
- package/dist/channel-options-DoUPBMa8.js +50 -0
- package/dist/channel-plugin-ids-TZIY4hFs.js +26 -0
- package/dist/channel-summary-qD54bOBO.js +111 -0
- package/dist/channel.runtime-B0H04Dkk.js +199 -0
- package/dist/channel.runtime-BU1f3NkV.js +418 -0
- package/dist/channel.runtime-Bj1sfLep.js +4011 -0
- package/dist/channel.runtime-BtPAAJc3.js +870 -0
- package/dist/channel.runtime-Bx-10m_j.js +171 -0
- package/dist/channel.runtime-CI_TBywQ.js +179 -0
- package/dist/channel.runtime-CSLj14-Z.js +182 -0
- package/dist/channel.runtime-D-lTSYAd.js +404 -0
- package/dist/channel.runtime-DJqIOSji.js +127 -0
- package/dist/channel.runtime-Ec8aQ9V2.js +241 -0
- package/dist/channel.runtime-ax5a1jBm.js +218 -0
- package/dist/channel.setup-B-ncdYLT.js +9 -0
- package/dist/channel.setup-BY4bh5dm.js +9 -0
- package/dist/channel.setup-BovsdMnL.js +57 -0
- package/dist/channel.setup-CXzXA25h.js +6 -0
- package/dist/channel.setup-DcZUEufN.js +8 -0
- package/dist/channel.setup-E6zceRsE.js +8 -0
- package/dist/channel.setup-Pc7nGbdX.js +11 -0
- package/dist/channels/plugins/actions/discord.d.ts +2 -2
- package/dist/channels/plugins/actions/discord.js +35 -35
- package/dist/channels/plugins/actions/signal.d.ts +1 -1
- package/dist/channels/plugins/actions/signal.js +35 -35
- package/dist/channels/plugins/actions/telegram.d.ts +2 -2
- package/dist/channels/plugins/actions/telegram.js +35 -35
- package/dist/channels/plugins/agent-tools/whatsapp-login.d.ts +3 -3
- package/dist/channels/plugins/agent-tools/whatsapp-login.js +35 -35
- package/dist/channels-CPtE5ND6.js +404 -0
- package/dist/channels-Cj8ZolHI.js +1118 -0
- package/dist/channels-cli-D2sKrntt.js +291 -0
- package/dist/channels-status-issues-CzIHODg2.js +16 -0
- package/dist/clawbot-cli-BcwEDmUn.js +118 -0
- package/dist/cleanup-utils-D0L17RsX.js +96 -0
- package/dist/cli/daemon-cli.js +1 -1
- package/dist/cli-BvGVPKnD.js +154 -0
- package/dist/command-registry-CADQzTAg.js +14 -0
- package/dist/command-registry-ktiJNAJd.js +242 -0
- package/dist/command-secret-gateway-CXp10RTM.js +111 -0
- package/dist/compact.runtime-DyKL-Iar.js +116 -0
- package/dist/completion-cli-Bz4STrpt.js +17 -0
- package/dist/completion-cli-pVda2OFb.js +445 -0
- package/dist/config-BbvDRSYp.js +31 -0
- package/dist/config-CwBv71QC.js +44 -0
- package/dist/config-cli-Y0uXHbOw.js +678 -0
- package/dist/config-guard-BpW5g7JE.js +118 -0
- package/dist/config-validation-B-vLIsbo.js +262 -0
- package/dist/config-value-DT3-5958.js +132 -0
- package/dist/configure-B9U-jCqP.js +1100 -0
- package/dist/configure-BJ3Wrs5b.js +243 -0
- package/dist/control-ui-assets-C1YDYi82.js +232 -0
- package/dist/control-ui-shared-Dm5Dh0Lo.js +29 -0
- package/dist/core-BwKq3krw.js +150 -0
- package/dist/core-hjBwfDsW.d.ts +87 -0
- package/dist/cron-cli-DTDgfoMh.js +639 -0
- package/dist/daemon-cli-C-dkAXR1.js +339 -0
- package/dist/daemon-install-Oy0Q5pMF.js +180 -0
- package/dist/deliver-DNGnDqF9.js +111 -0
- package/dist/deliver-runtime-CCNZIhET.js +111 -0
- package/dist/device-id-cli-XvwZbIyC.js +52 -0
- package/dist/device-identity-IG5DngWM.js +365 -0
- package/dist/devices-cli-DIsxj4xp.js +342 -0
- package/dist/diagnostic-DTPopFvh.js +310 -0
- package/dist/directory-cli-DTSY3Ktr.js +311 -0
- package/dist/directory-config-helpers-DpFcAbmo.d.ts +38 -0
- package/dist/directory.static-CBRAUwUW.js +44 -0
- package/dist/discord-CrgxhEWw.js +114 -0
- package/dist/discovery-DrG7wmAR.js +48 -0
- package/dist/dm-policy-shared-DKoGdUpY.d.ts +95 -0
- package/dist/dns-cli-BJiz6CLK.js +217 -0
- package/dist/docs-cli-Dq2Yi5qO.js +174 -0
- package/dist/doctor-completion-D3GeVcFP.js +90 -0
- package/dist/doctor-config-flow-B1cMjr8h.js +112 -0
- package/dist/doctor-config-flow-BUe7JpV3.js +2437 -0
- package/dist/enable-Bc8bCuVe.js +24 -0
- package/dist/entry.js +4 -4
- package/dist/exec-approvals-cli-kLAev6bP.js +421 -0
- package/dist/extensions/acpx/index.d.ts +1 -1
- package/dist/extensions/amazon-bedrock/index.d.ts +1 -1
- package/dist/extensions/amazon-bedrock/index.js +4 -4
- package/dist/extensions/anthropic/index.d.ts +1 -1
- package/dist/extensions/anthropic/index.js +35 -35
- package/dist/extensions/bluebubbles/index.d.ts +1 -1
- package/dist/extensions/bluebubbles/index.js +39 -39
- package/dist/extensions/bluebubbles/setup-entry.d.ts +2 -2
- package/dist/extensions/bluebubbles/setup-entry.js +39 -39
- package/dist/extensions/brave/index.d.ts +1 -1
- package/dist/extensions/brave/index.js +5 -5
- package/dist/extensions/byteplus/index.d.ts +1 -1
- package/dist/extensions/byteplus/index.js +35 -35
- package/dist/extensions/cloudflare-ai-gateway/index.d.ts +1 -1
- package/dist/extensions/cloudflare-ai-gateway/index.js +36 -36
- package/dist/extensions/copilot-proxy/index.d.ts +1 -1
- package/dist/extensions/copilot-proxy/index.js +4 -4
- package/dist/extensions/device-pair/index.d.ts +1 -1
- package/dist/extensions/device-pair/index.js +4 -4
- package/dist/extensions/diagnostics-otel/index.d.ts +1 -1
- package/dist/extensions/diagnostics-otel/index.js +4 -4
- package/dist/extensions/diffs/index.d.ts +1 -1
- package/dist/extensions/discord/index.d.ts +1 -1
- package/dist/extensions/discord/index.js +40 -40
- package/dist/extensions/discord/setup-entry.d.ts +1 -1
- package/dist/extensions/discord/setup-entry.js +38 -38
- package/dist/extensions/elevenlabs/index.d.ts +1 -1
- package/dist/extensions/elevenlabs/index.js +35 -35
- package/dist/extensions/feishu/index.d.ts +2 -2
- package/dist/extensions/feishu/index.js +40 -40
- package/dist/extensions/feishu/setup-entry.d.ts +2 -2
- package/dist/extensions/feishu/setup-entry.js +37 -37
- package/dist/extensions/firecrawl/index.d.ts +1 -1
- package/dist/extensions/firecrawl/index.js +35 -35
- package/dist/extensions/github-copilot/index.d.ts +1 -1
- package/dist/extensions/github-copilot/index.js +35 -35
- package/dist/extensions/google/index.d.ts +1 -1
- package/dist/extensions/google/index.js +35 -35
- package/dist/extensions/googlechat/index.d.ts +1 -1
- package/dist/extensions/googlechat/index.js +38 -38
- package/dist/extensions/googlechat/setup-entry.d.ts +1 -1
- package/dist/extensions/googlechat/setup-entry.js +38 -38
- package/dist/extensions/huggingface/index.d.ts +1 -1
- package/dist/extensions/huggingface/index.js +35 -35
- package/dist/extensions/imessage/index.d.ts +1 -1
- package/dist/extensions/imessage/index.js +39 -39
- package/dist/extensions/imessage/setup-entry.d.ts +1 -1
- package/dist/extensions/imessage/setup-entry.js +39 -39
- package/dist/extensions/irc/index.d.ts +1 -1
- package/dist/extensions/irc/index.js +38 -38
- package/dist/extensions/irc/setup-entry.d.ts +2 -2
- package/dist/extensions/irc/setup-entry.js +38 -38
- package/dist/extensions/kakao-talkchannel/index.d.ts +1 -1
- package/dist/extensions/kakao-talkchannel/index.js +4 -4
- package/dist/extensions/kilocode/index.d.ts +1 -1
- package/dist/extensions/kilocode/index.js +35 -35
- package/dist/extensions/kimi-coding/index.d.ts +1 -1
- package/dist/extensions/kimi-coding/index.js +35 -35
- package/dist/extensions/line/index.d.ts +1 -1
- package/dist/extensions/line/index.js +37 -37
- package/dist/extensions/line/setup-entry.d.ts +1 -1
- package/dist/extensions/line/setup-entry.js +37 -37
- package/dist/extensions/llm-task/index.d.ts +1 -1
- package/dist/extensions/llm-task/index.js +35 -35
- package/dist/extensions/lobster/index.d.ts +1 -1
- package/dist/extensions/lobster/index.js +4 -4
- package/dist/extensions/matrix/index.d.ts +1 -1
- package/dist/extensions/matrix/index.js +40 -40
- package/dist/extensions/matrix/setup-entry.d.ts +2 -2
- package/dist/extensions/matrix/setup-entry.js +40 -40
- package/dist/extensions/mattermost/index.d.ts +1 -1
- package/dist/extensions/mattermost/index.js +37 -37
- package/dist/extensions/mattermost/setup-entry.d.ts +2 -2
- package/dist/extensions/mattermost/setup-entry.js +37 -37
- package/dist/extensions/memory-core/index.d.ts +1 -1
- package/dist/extensions/memory-core/index.js +4 -4
- package/dist/extensions/memory-lancedb/index.d.ts +1 -1
- package/dist/extensions/memory-lancedb/index.js +4 -4
- package/dist/extensions/microsoft/index.d.ts +1 -1
- package/dist/extensions/microsoft/index.js +35 -35
- package/dist/extensions/minimax/index.d.ts +1 -1
- package/dist/extensions/minimax/index.js +35 -35
- package/dist/extensions/mistral/index.d.ts +1 -1
- package/dist/extensions/mistral/index.js +35 -35
- package/dist/extensions/modelstudio/index.d.ts +1 -1
- package/dist/extensions/modelstudio/index.js +35 -35
- package/dist/extensions/moonshot/index.d.ts +1 -1
- package/dist/extensions/moonshot/index.js +35 -35
- package/dist/extensions/msteams/index.d.ts +1 -1
- package/dist/extensions/msteams/index.js +40 -40
- package/dist/extensions/msteams/setup-entry.d.ts +1 -1
- package/dist/extensions/msteams/setup-entry.js +40 -40
- package/dist/extensions/nextcloud-talk/index.d.ts +1 -1
- package/dist/extensions/nextcloud-talk/index.js +37 -37
- package/dist/extensions/nextcloud-talk/setup-entry.d.ts +2 -2
- package/dist/extensions/nextcloud-talk/setup-entry.js +37 -37
- package/dist/extensions/nostr/index.d.ts +1 -1
- package/dist/extensions/nostr/index.js +37 -37
- package/dist/extensions/nostr/setup-entry.d.ts +1 -1
- package/dist/extensions/nostr/setup-entry.js +37 -37
- package/dist/extensions/nvidia/index.d.ts +1 -1
- package/dist/extensions/nvidia/index.js +4 -4
- package/dist/extensions/ollama/index.d.ts +1 -1
- package/dist/extensions/ollama/index.js +7 -7
- package/dist/extensions/open-prose/index.d.ts +1 -1
- package/dist/extensions/open-prose/index.js +4 -4
- package/dist/extensions/openai/index.d.ts +1 -1
- package/dist/extensions/openai/index.js +35 -35
- package/dist/extensions/opencode/index.d.ts +1 -1
- package/dist/extensions/opencode/index.js +35 -35
- package/dist/extensions/opencode-go/index.d.ts +1 -1
- package/dist/extensions/opencode-go/index.js +35 -35
- package/dist/extensions/openrouter/index.d.ts +1 -1
- package/dist/extensions/openrouter/index.js +35 -35
- package/dist/extensions/openshell/index.d.ts +1 -1
- package/dist/extensions/openshell/index.js +35 -35
- package/dist/extensions/perplexity/index.d.ts +1 -1
- package/dist/extensions/perplexity/index.js +5 -5
- package/dist/extensions/phone-control/index.d.ts +1 -1
- package/dist/extensions/phone-control/index.js +4 -4
- package/dist/extensions/qianfan/index.d.ts +1 -1
- package/dist/extensions/qianfan/index.js +35 -35
- package/dist/extensions/qwen-portal-auth/index.d.ts +1 -1
- package/dist/extensions/qwen-portal-auth/index.js +35 -35
- package/dist/extensions/sglang/index.d.ts +1 -1
- package/dist/extensions/sglang/index.js +35 -35
- package/dist/extensions/signal/index.d.ts +1 -1
- package/dist/extensions/signal/index.js +38 -38
- package/dist/extensions/signal/setup-entry.d.ts +1 -1
- package/dist/extensions/signal/setup-entry.js +38 -38
- package/dist/extensions/slack/index.d.ts +1 -1
- package/dist/extensions/slack/index.js +39 -39
- package/dist/extensions/slack/setup-entry.d.ts +1 -1
- package/dist/extensions/slack/setup-entry.js +38 -38
- package/dist/extensions/synology-chat/index.d.ts +1 -1
- package/dist/extensions/synology-chat/index.js +37 -37
- package/dist/extensions/synology-chat/setup-entry.d.ts +1 -1
- package/dist/extensions/synology-chat/setup-entry.js +37 -37
- package/dist/extensions/synthetic/index.d.ts +1 -1
- package/dist/extensions/synthetic/index.js +35 -35
- package/dist/extensions/talk-voice/index.d.ts +1 -1
- package/dist/extensions/talk-voice/index.js +35 -35
- package/dist/extensions/telegram/index.d.ts +1 -1
- package/dist/extensions/telegram/index.js +38 -38
- package/dist/extensions/telegram/setup-entry.d.ts +1 -1
- package/dist/extensions/telegram/setup-entry.js +37 -37
- package/dist/extensions/thread-ownership/index.d.ts +1 -1
- package/dist/extensions/thread-ownership/index.js +4 -4
- package/dist/extensions/tlon/index.d.ts +1 -1
- package/dist/extensions/tlon/index.js +37 -37
- package/dist/extensions/tlon/setup-entry.d.ts +1 -1
- package/dist/extensions/tlon/setup-entry.js +37 -37
- package/dist/extensions/together/index.d.ts +1 -1
- package/dist/extensions/together/index.js +35 -35
- package/dist/extensions/twitch/index.d.ts +2 -2
- package/dist/extensions/twitch/index.js +37 -37
- package/dist/extensions/venice/index.d.ts +1 -1
- package/dist/extensions/venice/index.js +35 -35
- package/dist/extensions/vercel-ai-gateway/index.d.ts +1 -1
- package/dist/extensions/vercel-ai-gateway/index.js +36 -36
- package/dist/extensions/vllm/index.d.ts +1 -1
- package/dist/extensions/vllm/index.js +35 -35
- package/dist/extensions/voice-call/index.d.ts +1 -1
- package/dist/extensions/voice-call/index.js +35 -35
- package/dist/extensions/volcengine/index.d.ts +1 -1
- package/dist/extensions/volcengine/index.js +35 -35
- package/dist/extensions/whatsapp/index.d.ts +1 -1
- package/dist/extensions/whatsapp/index.js +38 -38
- package/dist/extensions/whatsapp/setup-entry.d.ts +1 -1
- package/dist/extensions/whatsapp/setup-entry.js +38 -38
- package/dist/extensions/xai/index.d.ts +1 -1
- package/dist/extensions/xai/index.js +35 -35
- package/dist/extensions/xiaomi/index.d.ts +1 -1
- package/dist/extensions/xiaomi/index.js +35 -35
- package/dist/extensions/zai/index.d.ts +1 -1
- package/dist/extensions/zai/index.js +35 -35
- package/dist/extensions/zalo/index.d.ts +1 -1
- package/dist/extensions/zalo/index.js +39 -39
- package/dist/extensions/zalo/setup-entry.d.ts +1 -1
- package/dist/extensions/zalo/setup-entry.js +39 -39
- package/dist/extensions/zalouser/index.d.ts +1 -1
- package/dist/extensions/zalouser/index.js +40 -40
- package/dist/extensions/zalouser/setup-entry.d.ts +1 -1
- package/dist/extensions/zalouser/setup-entry.js +40 -40
- package/dist/feishu-fIcnHDTd.d.ts +36 -0
- package/dist/gateway-cli-0c-8h93_.js +26437 -0
- package/dist/gateway-install-token-1PwJvrBY.js +163 -0
- package/dist/gateway-rpc-C0Vk51W7.js +26 -0
- package/dist/gateway-runtime-CBm3CCoA.js +69 -0
- package/dist/git-commit-BTWXFY41.js +177 -0
- package/dist/git-commit-D6GTN5Yt.js +2 -0
- package/dist/googlechat-BQr4xgoZ.js +307 -0
- package/dist/googlechat-BvwsCVKl.d.ts +12 -0
- package/dist/group-access-DpiQnd-G.d.ts +61 -0
- package/dist/health-6yZQGADY.js +113 -0
- package/dist/health-C9DYGyRe.js +570 -0
- package/dist/heartbeat-summary-Dct2lqJj.js +57 -0
- package/dist/help-CtwSApfq.js +81 -0
- package/dist/hooks-9gokOxZ5.d.ts +6 -0
- package/dist/hooks-cli-BegKzHZT.js +1000 -0
- package/dist/hooks-status-Bm_pGORf.js +78 -0
- package/dist/http-registry-D-S6a1Na.d.ts +20 -0
- package/dist/identity-file-Diub2a0t.js +60 -0
- package/dist/image-generation-CbIVzmAR.d.ts +9 -0
- package/dist/imessage-Bgok9kfl.js +31 -0
- package/dist/imessage-VIHePprL.js +115 -0
- package/dist/inbound-reply-dispatch-B53GAGWq.js +71 -0
- package/dist/inbound-reply-dispatch-n7U3qg15.d.ts +72 -0
- package/dist/index.js +2 -2
- package/dist/install-target-oz1pjfHH.js +574 -0
- package/dist/installs-CUFm5V8a.js +532 -0
- package/dist/io-BaBxjB1v.js +9739 -0
- package/dist/io-CgHb1Jld.js +29 -0
- package/dist/irc-CaRKzGvW.js +672 -0
- package/dist/library-C5SNBCMb.js +112 -0
- package/dist/lifecycle-core-Dn8PK6nk.js +382 -0
- package/dist/line/accounts.d.ts +2 -2
- package/dist/line/send.d.ts +1 -1
- package/dist/line/send.js +7 -7
- package/dist/line/template-messages.d.ts +1 -1
- package/dist/line-B5QFpgN_.d.ts +75 -0
- package/dist/line-fePrrQOD.js +530 -0
- package/dist/llm-slug-generator-hKae3XDA.js +67 -0
- package/dist/llm-slug-generator.d.ts +1 -1
- package/dist/llm-slug-generator.js +36 -36
- package/dist/logging-CdisccbY.js +13 -0
- package/dist/logging-LKQSgX1d.js +30 -0
- package/dist/login-qr-C1YWh4nE.js +233 -0
- package/dist/login-qr-WFluMDMb.js +112 -0
- package/dist/logs-cli-CNzOvZ2d.js +256 -0
- package/dist/manager-runtime-DgMhLTkR.js +111 -0
- package/dist/manager.runtime-hUWgpPt2.js +715 -0
- package/dist/manifest-registry-CS_p1OBQ.js +1329 -0
- package/dist/matrix-43_RGLZN.d.ts +68 -0
- package/dist/matrix-CCFxHfxa.js +1269 -0
- package/dist/matrix-DWs_qIkJ.js +1495 -0
- package/dist/mcp-cli-Ci2jvv3s.js +87 -0
- package/dist/media-understanding.runtime-Cdr6iTW6.js +116 -0
- package/dist/memory-cli-LZbyF0Iu.js +111 -0
- package/dist/memory-search-BHhETk6u.js +17 -0
- package/dist/memory-search-tTD5o_rU.js +204 -0
- package/dist/method-scopes-B2ZKSsxQ.js +2452 -0
- package/dist/model-auth-markers-LqZ4qhrZ.d.ts +20 -0
- package/dist/model-picker-CTR5mo4v.js +112 -0
- package/dist/model-picker-DG4z_dBs.js +390 -0
- package/dist/model-picker.runtime-DMQ9Pj9_.js +125 -0
- package/dist/model-selection-bBBxfXdb.js +653 -0
- package/dist/model-suppression.runtime-BVG75tZ7.js +116 -0
- package/dist/models-BjkVLfgw.js +2514 -0
- package/dist/models-ZO01Q4cx.js +118 -0
- package/dist/models-cli-DemdF-bm.js +309 -0
- package/dist/models-config-B2Jja8ua.js +111 -0
- package/dist/models-config.providers.discovery-puxTsH39.d.ts +18 -0
- package/dist/moldclaw-root-Cb6HRlUO.js +92 -0
- package/dist/monitor-BP4idxJD.js +782 -0
- package/dist/monitor-B_eP8Eim.js +772 -0
- package/dist/monitor-CRHYNl5J.js +3468 -0
- package/dist/monitor-Ci1Xg4g3.js +113 -0
- package/dist/monitor-DEodDl3z.js +6823 -0
- package/dist/monitor-DJlNKuMz.js +115 -0
- package/dist/monitor-DvFwDS9w.js +3076 -0
- package/dist/monitor-shared--cEjSf8s.js +444 -0
- package/dist/msteams-CV2a8uE8.js +852 -0
- package/dist/node-cli-Of2g7DSd.js +2503 -0
- package/dist/node-resolve-BYC2FbO2.js +835 -0
- package/dist/nodes-cli-CPHM6Upj.js +1380 -0
- package/dist/nostr-BFKRoOlz.d.ts +7 -0
- package/dist/nostr-lHpcBzz4.js +8744 -0
- package/dist/npm-resolution-kqHN85wB.js +60 -0
- package/dist/oauth-env-CLG8KOrz.js +10 -0
- package/dist/onboard-BON0C360.js +48 -0
- package/dist/onboard-CRkIBgOI.js +589 -0
- package/dist/onboard-DsKI17iq.js +25 -0
- package/dist/onboard-channels-BY3IbBBf.js +1241 -0
- package/dist/onboard-channels-CLKdRxvW.js +205 -0
- package/dist/onboard-custom-BjPrMo_R.js +571 -0
- package/dist/onboard-custom-DqcPiZBN.js +114 -0
- package/dist/onboard-helpers-BkrOY5OE.js +113 -0
- package/dist/onboard-helpers-DiSRTpZC.js +335 -0
- package/dist/onboard-hooks-pzEPZAvl.js +72 -0
- package/dist/onboard-remote-ChyLC6Dk.js +181 -0
- package/dist/onboard-remote-DHmK9ntl.js +117 -0
- package/dist/onboard-search-BgA3jEMW.js +302 -0
- package/dist/onboard-skills-BMo_NvnW.js +133 -0
- package/dist/onboard-skills-Bba-Z2p8.js +117 -0
- package/dist/outbound-media-BHD4aJEX.d.ts +11 -0
- package/dist/outbound-media-DSno0N82.js +11 -0
- package/dist/pairing-access-CzHpaM0R.d.ts +21 -0
- package/dist/pairing-cli-CmklqK0q.js +217 -0
- package/dist/perplexity-CXwMDD3u.js +24 -0
- package/dist/persistent-dedupe-B9vrAf8t.d.ts +26 -0
- package/dist/pi-model-discovery-runtime-BrK7tcaO.js +111 -0
- package/dist/pi-tools.before-tool-call.runtime-C5yLUogH.js +381 -0
- package/dist/plugin-install-C4AWJIFP.js +117 -0
- package/dist/plugin-install-CB3J1hfV.js +184 -0
- package/dist/plugin-install-plan-7itZiegi.js +49 -0
- package/dist/plugin-registry-DX_GFoiz.js +113 -0
- package/dist/plugin-registry-e3cxTtvb.js +49 -0
- package/dist/plugin-sdk/account-resolution.js +35 -35
- package/dist/plugin-sdk/acp-runtime.js +35 -35
- package/dist/plugin-sdk/agent-runtime.js +35 -35
- package/dist/plugin-sdk/bluebubbles.js +37 -37
- package/dist/plugin-sdk/channel-config-helpers.js +35 -35
- package/dist/plugin-sdk/channel-policy.js +35 -35
- package/dist/plugin-sdk/channel-runtime.js +35 -35
- package/dist/plugin-sdk/compat.js +36 -36
- package/dist/plugin-sdk/config-runtime.js +35 -35
- package/dist/plugin-sdk/conversation-runtime.js +35 -35
- package/dist/plugin-sdk/copilot-proxy.js +4 -4
- package/dist/plugin-sdk/core.js +4 -4
- package/dist/plugin-sdk/device-pair.js +4 -4
- package/dist/plugin-sdk/discord.js +35 -35
- package/dist/plugin-sdk/feishu.js +35 -35
- package/dist/plugin-sdk/gateway-runtime.js +10 -10
- package/dist/plugin-sdk/googlechat.js +37 -37
- package/dist/plugin-sdk/image-generation-runtime.js +35 -35
- package/dist/plugin-sdk/image-generation.js +35 -35
- package/dist/plugin-sdk/imessage.js +36 -36
- package/dist/plugin-sdk/index.js +35 -35
- package/dist/plugin-sdk/infra-runtime.js +35 -35
- package/dist/plugin-sdk/irc.js +37 -37
- package/dist/plugin-sdk/line.js +36 -36
- package/dist/plugin-sdk/llm-task.js +35 -35
- package/dist/plugin-sdk/lobster.js +4 -4
- package/dist/plugin-sdk/matrix.js +37 -37
- package/dist/plugin-sdk/mattermost.js +36 -36
- package/dist/plugin-sdk/media-runtime.js +35 -35
- package/dist/plugin-sdk/media-understanding-runtime.js +35 -35
- package/dist/plugin-sdk/media-understanding.js +35 -35
- package/dist/plugin-sdk/memory-lancedb.js +4 -4
- package/dist/plugin-sdk/minimax-portal-auth.js +4 -4
- package/dist/plugin-sdk/msteams.js +38 -38
- package/dist/plugin-sdk/nextcloud-talk.js +36 -36
- package/dist/plugin-sdk/nostr.js +36 -36
- package/dist/plugin-sdk/ollama-setup.js +9 -9
- package/dist/plugin-sdk/open-prose.js +4 -4
- package/dist/plugin-sdk/phone-control.js +4 -4
- package/dist/plugin-sdk/plugin-runtime.js +35 -35
- package/dist/plugin-sdk/provider-auth.js +35 -35
- package/dist/plugin-sdk/provider-models.js +5 -5
- package/dist/plugin-sdk/provider-onboard.js +4 -4
- package/dist/plugin-sdk/provider-setup.js +39 -39
- package/dist/plugin-sdk/provider-stream.js +4 -4
- package/dist/plugin-sdk/provider-usage.js +4 -4
- package/dist/plugin-sdk/qwen-portal-auth.js +35 -35
- package/dist/plugin-sdk/reply-history.js +35 -35
- package/dist/plugin-sdk/reply-runtime.js +35 -35
- package/dist/plugin-sdk/routing.js +3 -3
- package/dist/plugin-sdk/sandbox.js +35 -35
- package/dist/plugin-sdk/security-runtime.js +35 -35
- package/dist/plugin-sdk/self-hosted-provider-setup.js +37 -37
- package/dist/plugin-sdk/setup.js +35 -35
- package/dist/plugin-sdk/signal.js +35 -35
- package/dist/plugin-sdk/slack.js +35 -35
- package/dist/plugin-sdk/speech-runtime.js +35 -35
- package/dist/plugin-sdk/speech.js +35 -35
- package/dist/plugin-sdk/src/secrets/secure-file-store.d.ts +26 -0
- package/dist/plugin-sdk/src/subscription/provider.d.ts +5 -3
- package/dist/plugin-sdk/synology-chat.js +36 -36
- package/dist/plugin-sdk/talk-voice.js +4 -4
- package/dist/plugin-sdk/telegram.js +35 -35
- package/dist/plugin-sdk/text-runtime.js +7 -7
- package/dist/plugin-sdk/thread-ownership.js +4 -4
- package/dist/plugin-sdk/tlon.js +36 -36
- package/dist/plugin-sdk/twitch.js +35 -35
- package/dist/plugin-sdk/voice-call.js +35 -35
- package/dist/plugin-sdk/whatsapp.js +35 -35
- package/dist/plugin-sdk/zalo.js +38 -38
- package/dist/plugin-sdk/zalouser.js +38 -38
- package/dist/plugins/runtime/index.d.ts +1 -1
- package/dist/plugins/runtime/index.js +35 -35
- package/dist/plugins-DF5FaTO0.js +111 -0
- package/dist/plugins-cli-CvTJemqC.js +917 -0
- package/dist/policy-CNXISK_a.js +143 -0
- package/dist/preflight-audio.runtime-RP000oxo.js +116 -0
- package/dist/probe-BkM5pykD.js +21 -0
- package/dist/probe-DKbRTJv5.js +1793 -0
- package/dist/probe-DkrfRsjU.js +47 -0
- package/dist/probe-DpcJ0WeP.js +129 -0
- package/dist/probe-auth-BcNjX8hy.js +40 -0
- package/dist/probe-auth-DhuAb8ls.js +48 -0
- package/dist/probe-wciBj-aL.js +6329 -0
- package/dist/program-C8-p0mW5.js +253 -0
- package/dist/prompt-select-styled-DH0pVoc0.js +2673 -0
- package/dist/provider-api-key-auth.runtime-CAFeIQ1u.js +121 -0
- package/dist/provider-auth-choice-CB_HzdTl.js +126 -0
- package/dist/provider-auth-choice-helpers-hzDkh3f1.js +48 -0
- package/dist/provider-auth-choice-preference-BHCXvNSE.js +189 -0
- package/dist/provider-auth-choice.runtime-Dx4ms2C5.js +123 -0
- package/dist/provider-auth-choices-0KaDNPBQ.js +57 -0
- package/dist/provider-auth-guidance-BaAUiNr_.js +34 -0
- package/dist/provider-auth-result-Bto1bYtS.d.ts +18 -0
- package/dist/provider-models-DxOmeToO.d.ts +867 -0
- package/dist/provider-models-xnyxy6mO.js +2113 -0
- package/dist/provider-ollama-setup-DBYK__ov.d.ts +32 -0
- package/dist/provider-ollama-setup-QzgCxj44.js +314 -0
- package/dist/provider-onboard-B9ionepI.js +139 -0
- package/dist/provider-onboard-CURxJ_UX.d.ts +40 -0
- package/dist/provider-runtime.runtime-4xwmsl5L.js +111 -0
- package/dist/provider-self-hosted-setup-BHd24EDG.js +182 -0
- package/dist/provider-self-hosted-setup-qeY8BYSy.d.ts +61 -0
- package/dist/provider-stream-Chz_EFw3.js +512 -0
- package/dist/provider-usage-C11Q7UwS.js +111 -0
- package/dist/provider-usage-kxemdMp2.js +633 -0
- package/dist/provider-wizard-CanJoxNC.js +152 -0
- package/dist/push-apns-Dsajnm8C.js +1038 -0
- package/dist/pw-ai-DUe4BbH2.js +1867 -0
- package/dist/qmd-manager-CAAFp7qK.js +1570 -0
- package/dist/qr-cli-Bu2jqTPY.js +113 -0
- package/dist/qr-cli-Bu9Z-X48.js +369 -0
- package/dist/reactions-Cpfum4iU.js +281 -0
- package/dist/read-only-account-inspect.discord.runtime-BK0LaMgC.js +116 -0
- package/dist/read-only-account-inspect.slack.runtime-DgKiC5wT.js +116 -0
- package/dist/read-only-account-inspect.telegram.runtime-mxfgFVOU.js +116 -0
- package/dist/redact-snapshot-DD8A4tdd.js +2663 -0
- package/dist/register.agent-DU4FtrU2.js +439 -0
- package/dist/register.backup-8nOYtJqg.js +625 -0
- package/dist/register.configure-DmtecqIH.js +252 -0
- package/dist/register.maintenance-Dir3ulKP.js +574 -0
- package/dist/register.message-Cfl-f3Ju.js +709 -0
- package/dist/register.onboard-Bv7WVzEi.js +192 -0
- package/dist/register.setup-BIyeI8RY.js +212 -0
- package/dist/register.status-health-sessions-C69WQcF4.js +498 -0
- package/dist/register.subclis-B_4KCgTd.js +315 -0
- package/dist/register.subclis-BeXsmgBL.js +13 -0
- package/dist/replies-DdcFUmki.js +110 -0
- package/dist/resolve-channels-DRZqPV5o.js +226 -0
- package/dist/resolve-channels-DxW1kqxA.js +262 -0
- package/dist/resolve-route-DdX-HBVt.js +538 -0
- package/dist/resolve-users-rgCQvkLs.js +143 -0
- package/dist/root-help-QAkoA7GD.js +32 -0
- package/dist/routes-CcJNnwTF.js +7097 -0
- package/dist/rpc-DDUAlBbH.js +67 -0
- package/dist/run-main-D9ci5pn7.js +424 -0
- package/dist/runtime-Bitmi8Er.d.ts +26 -0
- package/dist/runtime-discord-ops.runtime-T4sf7aRB.js +9078 -0
- package/dist/runtime-slack-ops.runtime-BQpP48mC.js +4556 -0
- package/dist/runtime-telegram-ops.runtime-cVO5dqOp.js +133 -0
- package/dist/runtime-whatsapp-login.runtime-DtNx0dSY.js +114 -0
- package/dist/runtime-whatsapp-outbound.runtime-Bw47QbFK.js +117 -0
- package/dist/sandbox-cli-DsFwjbjC.js +535 -0
- package/dist/search-manager-BRAK8fEe.js +16 -0
- package/dist/search-manager-BS5Db0A6.js +386 -0
- package/dist/secrets-cli-D3J46TJp.js +2070 -0
- package/dist/security-cli-B866M9cB.js +575 -0
- package/dist/send-B1pX9_Oc.js +283 -0
- package/dist/send-B2RrLg83.js +100 -0
- package/dist/send-DFnV__Aq.js +1025 -0
- package/dist/send-DZIH6CJt.js +629 -0
- package/dist/send-sl9WnKbW.js +631 -0
- package/dist/server-node-events-BT6egg20.js +506 -0
- package/dist/server-zI_K-D05.js +107 -0
- package/dist/sessions-C8kiAcoJ.js +112 -0
- package/dist/sessions-DLBpp52_.js +218 -0
- package/dist/setup-C7eOzMiC.js +387 -0
- package/dist/setup-CFIMq-Pz.d.ts +37 -0
- package/dist/setup-binary-CcAv8NXz.js +406 -0
- package/dist/setup-browser-C4eRV3h6.js +70 -0
- package/dist/setup-core-BnR486P-.js +143 -0
- package/dist/setup-core-CIswIiu5.js +166 -0
- package/dist/setup-core-CcbcrXXg.js +47 -0
- package/dist/setup-core-nZSw5BSv.js +205 -0
- package/dist/setup-surface-C5iSpT4M.js +490 -0
- package/dist/setup-wizard-helpers-r0J6l8ST.d.ts +203 -0
- package/dist/setup.finalize-adiRfo0U.js +522 -0
- package/dist/setup.gateway-config-BwFWKDfT.js +343 -0
- package/dist/shared-12TimyeF.js +182 -0
- package/dist/shared-9EWO34-k.js +298 -0
- package/dist/shared-B4vUbaRR.js +75 -0
- package/dist/shared-bNWpW3Dd.js +96 -0
- package/dist/shared-lU1y5dvS.js +102 -0
- package/dist/signal-DBlETRu9.js +114 -0
- package/dist/skills-Bio8GwTE.js +20 -0
- package/dist/skills-DE_MXFSN.js +853 -0
- package/dist/skills-cli-BGuW-tKw.js +292 -0
- package/dist/skills-install--rnorIoJ.js +763 -0
- package/dist/skills-status-B08PtBc_.js +21 -0
- package/dist/skills-status-CzM008aB.js +169 -0
- package/dist/slack-C4T53Nc-.js +114 -0
- package/dist/slash-commands.runtime-B7fsD8Be.js +128 -0
- package/dist/slash-dispatch.runtime-t0PAX4vQ.js +141 -0
- package/dist/slash-skill-commands.runtime-DIhPnEfR.js +116 -0
- package/dist/src-DrDirlvw.js +1701 -0
- package/dist/status-Bld14WSA.js +131 -0
- package/dist/status-CgeO4RuH.js +43 -0
- package/dist/status-HlvixAOq.js +606 -0
- package/dist/status-Rom_Lf3c.js +1599 -0
- package/dist/status-TwbMH6Am.js +126 -0
- package/dist/status-json-DMW7cmuK.js +288 -0
- package/dist/status.link-channel-V4LkB6Gq.js +143 -0
- package/dist/status.scan.deps.runtime-BE3X-dcP.js +126 -0
- package/dist/status.scan.runtime-BxVY4mty.js +119 -0
- package/dist/status.summary-CzLM0vVr.js +592 -0
- package/dist/status.summary.runtime-BSBnHZ1Q.js +118 -0
- package/dist/status.update-BxblMS7P.js +77 -0
- package/dist/subagent-orphan-recovery-BpRPryEj.js +307 -0
- package/dist/subagent-registry-runtime-DYYU5p3X.js +111 -0
- package/dist/subscription-CpFdxuFS.js +33 -0
- package/dist/subscription-DaA1urx-.js +102 -0
- package/dist/subscription-cli-Bvto9EmO.js +134 -0
- package/dist/synology-chat-3nwk-Nj0.js +297 -0
- package/dist/system-cli-BvNps8sl.js +94 -0
- package/dist/telegram/audit.d.ts +1 -1
- package/dist/telegram/audit.js +1 -1
- package/dist/telegram/token.d.ts +1 -1
- package/dist/telegram/token.js +35 -35
- package/dist/telegram-RtKXoEsF.js +114 -0
- package/dist/text-chunking-BD5mQe2R.js +84 -0
- package/dist/text-chunking-DDUU_vAF.d.ts +79 -0
- package/dist/tlon-z-kYmJE-.js +433 -0
- package/dist/tui-cli-CzSK08Rh.js +137 -0
- package/dist/tui-wV7R1Tlc.js +3834 -0
- package/dist/types-2H_e7eWT.d.ts +45 -0
- package/dist/types-ZKnGUchG.d.ts +22692 -0
- package/dist/types.base-BFiQZ4J9.d.ts +188 -0
- package/dist/ui-BWVHreeR.js +31 -0
- package/dist/update-D1Wgh1Tj.js +1036 -0
- package/dist/update-cli-CZh99uyY.js +1503 -0
- package/dist/update-offset-store-D5xTdUr0.js +112 -0
- package/dist/update-runner-GbKfoCHs.js +1496 -0
- package/dist/upsert-with-lock-BZU7Le8n.js +33 -0
- package/dist/usage-Czgwvg0h.js +115 -0
- package/dist/web-CMczmL90.js +112 -0
- package/dist/web-shared-B5Q0mIJq.d.ts +45 -0
- package/dist/webhook-request-guards-CsKDhZJr.d.ts +76 -0
- package/dist/webhook-targets-BSmFtesN.js +181 -0
- package/dist/webhook-targets-CjxuEE9C.d.ts +106 -0
- package/dist/webhooks-cli-Wl9y6AWW.js +350 -0
- package/dist/whatsapp-VzRW8MdR.js +114 -0
- package/dist/whatsapp-actions-Cg1Wxv8W.js +167 -0
- package/dist/workspace-DJ_S272u.js +484 -0
- package/dist/workspace-DbZSqjw0.js +289 -0
- package/dist/workspace-cli-D93DLmAh.js +154 -0
- package/dist/workspace-dirs-CGeIPpGN.js +2003 -0
- package/dist/zalo-CK2dlGmu.d.ts +9 -0
- package/dist/zalo-Db7s2boL.js +415 -0
- package/dist/zalouser-Jh5YTJX3.js +30911 -0
- package/docs/reference/templates/AGENTS.dev.md +83 -0
- package/docs/reference/templates/AGENTS.md +219 -0
- package/docs/reference/templates/BOOT.md +11 -0
- package/docs/reference/templates/BOOTSTRAP.md +62 -0
- package/docs/reference/templates/HEARTBEAT.md +12 -0
- package/docs/reference/templates/IDENTITY.dev.md +47 -0
- package/docs/reference/templates/IDENTITY.md +29 -0
- package/docs/reference/templates/SOUL.dev.md +76 -0
- package/docs/reference/templates/SOUL.md +43 -0
- package/docs/reference/templates/TOOLS.dev.md +24 -0
- package/docs/reference/templates/TOOLS.md +47 -0
- package/docs/reference/templates/USER.dev.md +18 -0
- package/docs/reference/templates/USER.md +23 -0
- package/extensions/discord/src/monitor/allow-list.ts +8 -1
- package/extensions/discord/src/monitor/message-handler.preflight.ts +4 -1
- package/package.json +2 -1
- package/dist/accounts-CDr-lDaV.d.ts +0 -103
- package/dist/accounts-CS8U4v8C.js +0 -114
- package/dist/acp-cli-BGT0jXcC.js +0 -2093
- package/dist/actions.runtime-BfckTw6c.js +0 -119
- package/dist/actions.runtime-Cl9mBfqH.js +0 -133
- package/dist/agent-scope-C-YmLnnb.js +0 -208
- package/dist/agents-CydD54p8.js +0 -222
- package/dist/agents-DpQsZO6O.js +0 -853
- package/dist/agents.config-XU7IsYE-.js +0 -121
- package/dist/agents.config-ssoQXuvF.js +0 -17
- package/dist/allow-list-Cfn6lmMK.js +0 -81
- package/dist/allowlist-CCYXVpM9.js +0 -142
- package/dist/api-BoXoFKxy.js +0 -117
- package/dist/audit-Bv05N5o9.js +0 -787
- package/dist/audit-CIWW1Aqm.js +0 -54
- package/dist/audit-channel.collect.runtime-Bi7yrdcO.js +0 -605
- package/dist/audit-channel.runtime-C_NDweiW.js +0 -121
- package/dist/audit-extra.async-Dp7OKSXg.js +0 -813
- package/dist/audit-membership-runtime-B8FQ6VtN.js +0 -162
- package/dist/audit.deep.runtime-CXhobL6b.js +0 -25
- package/dist/audit.nondeep.runtime-CrEm3T16.js +0 -832
- package/dist/audit.runtime-CJPKj1Zg.js +0 -118
- package/dist/auth-Byfp0flq.js +0 -101
- package/dist/auth-choice-BgOjdeXN.js +0 -507
- package/dist/auth-choice-CD1Heq0M.js +0 -122
- package/dist/auth-choice-ePNfg0iQ.js +0 -268
- package/dist/auth-choice-options-BlewQWI0.js +0 -123
- package/dist/auth-choice-prompt-BP2b6aXz.js +0 -36
- package/dist/auth-choice-prompt-Cmwl4n97.js +0 -115
- package/dist/auth-choice.apply-helpers-Dq-nxuuX.js +0 -66
- package/dist/auth-choice.plugin-providers.runtime-B23kOUzQ.js +0 -119
- package/dist/auth-profiles-1kPLbBwI.js +0 -127823
- package/dist/auth-profiles.runtime-DAfSjku1.js +0 -116
- package/dist/banner-DeOsobLO.js +0 -342
- package/dist/bluebubbles-BsLGedBM.js +0 -64
- package/dist/bluebubbles-CnT9wiS4.d.ts +0 -6
- package/dist/bot-CuzVYwa_.d.ts +0 -478
- package/dist/brave-BoWimrLe.js +0 -24
- package/dist/browser-cli-D_S3wEYE.js +0 -1494
- package/dist/call-ByEzDJ1_.js +0 -640
- package/dist/call-CHCWVg-O.js +0 -39
- package/dist/channel-3VC0oOMu.js +0 -214
- package/dist/channel-B9fCBPiS.js +0 -207
- package/dist/channel-B9q775cM.js +0 -562
- package/dist/channel-BG3UK54j.js +0 -803
- package/dist/channel-BRQAdMML.js +0 -352
- package/dist/channel-BmlLp933.js +0 -1321
- package/dist/channel-By6KvdTG.js +0 -920
- package/dist/channel-C8rRsdf6.js +0 -226
- package/dist/channel-CLEDBbXE.js +0 -943
- package/dist/channel-CMvBAG7o.js +0 -306
- package/dist/channel-CmlxxjHY.js +0 -1598
- package/dist/channel-CqG6_xN0.js +0 -949
- package/dist/channel-DNueHKs92.js +0 -316
- package/dist/channel-DUtyN7BX.js +0 -4681
- package/dist/channel-DWD6GrfZ.js +0 -538
- package/dist/channel-DaRYMYzj.js +0 -619
- package/dist/channel-Dj6BgLp8.js +0 -575
- package/dist/channel-account-context-Ba3u5D21.js +0 -103
- package/dist/channel-crabk6Em.js +0 -542
- package/dist/channel-i8uqQaK2.js +0 -497
- package/dist/channel-options-xljvwHS2.js +0 -50
- package/dist/channel-plugin-ids-DAgknSG4.js +0 -26
- package/dist/channel-summary-dHTMCG75.js +0 -111
- package/dist/channel-xVWQ96Ni.js +0 -397
- package/dist/channel.runtime-B6PoZ4BV.js +0 -182
- package/dist/channel.runtime-BPZmo57e.js +0 -404
- package/dist/channel.runtime-B_1uGR-U.js +0 -199
- package/dist/channel.runtime-BiXnPU0d.js +0 -218
- package/dist/channel.runtime-BpvDc9sv.js +0 -870
- package/dist/channel.runtime-CUua3W80.js +0 -418
- package/dist/channel.runtime-CaCBTd0A.js +0 -179
- package/dist/channel.runtime-D0FfYvUj.js +0 -4011
- package/dist/channel.runtime-DhoJtpvJ.js +0 -241
- package/dist/channel.runtime-Kj9EXNE0.js +0 -127
- package/dist/channel.runtime-r4tPuPyh.js +0 -171
- package/dist/channel.setup-B7d_grfe.js +0 -6
- package/dist/channel.setup-C0vu1fhi.js +0 -9
- package/dist/channel.setup-CAI0FNHj.js +0 -11
- package/dist/channel.setup-CkDVwv5R.js +0 -57
- package/dist/channel.setup-Cpd00YqQ.js +0 -8
- package/dist/channel.setup-DbBz1-WT.js +0 -9
- package/dist/channel.setup-GZnAvD9g.js +0 -8
- package/dist/channels-5H484RSw.js +0 -1118
- package/dist/channels-BnPudfyx.js +0 -404
- package/dist/channels-cli-WIC-QeH_.js +0 -291
- package/dist/channels-status-issues-RDmzovJU.js +0 -16
- package/dist/clawbot-cli-BgutNwf8.js +0 -118
- package/dist/cleanup-utils-DBl1Aij1.js +0 -96
- package/dist/cli-1P7u6zqu.js +0 -154
- package/dist/command-registry-B8jovrws.js +0 -232
- package/dist/command-registry-DtDl1FVm.js +0 -14
- package/dist/command-secret-gateway-BgUo3FxJ.js +0 -111
- package/dist/compact.runtime-CXbXM0AU.js +0 -116
- package/dist/completion-cli-Cik_owAE.js +0 -17
- package/dist/completion-cli-RU3P2RSl.js +0 -445
- package/dist/config-5HUpB1L1.js +0 -31
- package/dist/config-cli-QHaUHoZI.js +0 -433
- package/dist/config-guard-C9Sn3pE-.js +0 -118
- package/dist/config-sW57gztj.js +0 -44
- package/dist/config-validation-5LkjIKNt.js +0 -262
- package/dist/config-value-CtTWALxG.js +0 -132
- package/dist/configure-BmR2TPLf.js +0 -243
- package/dist/configure-DaLN-5xM.js +0 -1100
- package/dist/control-ui-assets-CH3MYmAo.js +0 -232
- package/dist/control-ui-shared-CA77PTml.js +0 -29
- package/dist/core-CvDzLs7B.js +0 -150
- package/dist/core-jm751KJ9.d.ts +0 -87
- package/dist/cron-cli-tguLpzyq.js +0 -639
- package/dist/daemon-cli-ptosOkL8.js +0 -339
- package/dist/daemon-install-DzU4EnVa.js +0 -180
- package/dist/deliver-DwxFoHM3.js +0 -111
- package/dist/deliver-runtime-DOdDyaPI.js +0 -111
- package/dist/device-id-cli-GopvlxxZ.js +0 -52
- package/dist/device-identity-CRfhC3_s.js +0 -365
- package/dist/devices-cli-ain7ESqU.js +0 -342
- package/dist/diagnostic-D96Xaqrj.js +0 -310
- package/dist/directory-cli-fh1UxGgY.js +0 -311
- package/dist/directory-config-helpers-Coivm0Mt.d.ts +0 -38
- package/dist/directory.static-CKjJUNGl.js +0 -44
- package/dist/discord-CflhwDEM.js +0 -114
- package/dist/discovery-x0ZqY4AB.js +0 -48
- package/dist/dm-policy-shared-DKzsSLlO.d.ts +0 -95
- package/dist/dns-cli-DCHyKjGf.js +0 -217
- package/dist/docs-cli-D3OoqYSP.js +0 -174
- package/dist/doctor-completion-Bq2eP87s.js +0 -90
- package/dist/doctor-config-flow-D8XRG9Ku.js +0 -2437
- package/dist/doctor-config-flow-DGiF1HGc.js +0 -112
- package/dist/enable-0QSF4YGH.js +0 -24
- package/dist/exec-approvals-cli-Bncym0Gd.js +0 -421
- package/dist/feishu-C1dM8pl2.d.ts +0 -36
- package/dist/gateway-cli-DYscsmA-.js +0 -26437
- package/dist/gateway-install-token-CNv17ac9.js +0 -163
- package/dist/gateway-rpc-BGC1Rxvg.js +0 -26
- package/dist/gateway-runtime-D89mSQPB.js +0 -69
- package/dist/git-commit-CeLH5Ozm.js +0 -2
- package/dist/git-commit-DUKRiCP-.js +0 -177
- package/dist/googlechat-BgXeXjd1.js +0 -307
- package/dist/googlechat-CNZQb1jd.d.ts +0 -12
- package/dist/group-access-Deh1tVNr.d.ts +0 -61
- package/dist/health-BEjzWwaB.js +0 -570
- package/dist/health-FjqrWQL6.js +0 -113
- package/dist/heartbeat-summary-CfdSA9M1.js +0 -57
- package/dist/help-BZeVprq1.js +0 -81
- package/dist/hooks-06OUQvAV.d.ts +0 -6
- package/dist/hooks-cli-B7uGJs2O.js +0 -1000
- package/dist/hooks-status-CfceaUSg.js +0 -78
- package/dist/http-registry-DYskWhOr.d.ts +0 -20
- package/dist/identity-file-sshkKKIr.js +0 -60
- package/dist/image-generation-D4o3j8o6.d.ts +0 -9
- package/dist/imessage-BcV3WGx_.js +0 -31
- package/dist/imessage-Dhje7Ty-.js +0 -115
- package/dist/inbound-reply-dispatch-C73_7SOl.js +0 -71
- package/dist/inbound-reply-dispatch-D6_HNqH8.d.ts +0 -72
- package/dist/install-target-D7NRhfzc.js +0 -574
- package/dist/installs-Bj6jblqc.js +0 -532
- package/dist/io-CMfWWPXQ.js +0 -9738
- package/dist/io-CV844hAM.js +0 -29
- package/dist/irc-DKi1fDYI.js +0 -672
- package/dist/library-rygTG3oA.js +0 -112
- package/dist/lifecycle-core-BPlvShWY.js +0 -382
- package/dist/line-B8gTtl3Y.d.ts +0 -75
- package/dist/line-CGsemKWJ.js +0 -530
- package/dist/llm-slug-generator-DlhVyMqT.js +0 -67
- package/dist/logging-5wu9k6w4.js +0 -30
- package/dist/logging-CxP9suT8.js +0 -13
- package/dist/login-qr-BcDsiwHs.js +0 -233
- package/dist/login-qr-Y8pJ5yV4.js +0 -112
- package/dist/logs-cli-XI9oVXpH.js +0 -256
- package/dist/manager-runtime-DkIlXBhD.js +0 -111
- package/dist/manager.runtime-Q0q2rJCC.js +0 -715
- package/dist/manifest-registry-DAd0SRAP.js +0 -1329
- package/dist/matrix-BI0DBBrG.js +0 -1495
- package/dist/matrix-D2JoHzb4.d.ts +0 -68
- package/dist/matrix-DiABGjJR.js +0 -1269
- package/dist/mcp-cli-BOyn_DLL.js +0 -87
- package/dist/media-understanding.runtime-DjUa7Dka.js +0 -116
- package/dist/memory-cli-CJd_vl-Y.js +0 -111
- package/dist/memory-search-CEEItIFR.js +0 -17
- package/dist/memory-search-Cv1SBrn7.js +0 -204
- package/dist/method-scopes-CQE7-bZ-.js +0 -2452
- package/dist/model-auth-markers-BFoM4IPf.d.ts +0 -20
- package/dist/model-picker-D6_89XHg.js +0 -112
- package/dist/model-picker-Svaw-APs.js +0 -390
- package/dist/model-picker.runtime-Chi9nV7A.js +0 -125
- package/dist/model-selection-hL8i1Jbs.js +0 -653
- package/dist/model-suppression.runtime-DjWJZ0X-.js +0 -116
- package/dist/models-7qj1dG_W.js +0 -118
- package/dist/models-BPOB_xJF.js +0 -2514
- package/dist/models-cli-DdlOVUjS.js +0 -309
- package/dist/models-config-CBqUS-jX.js +0 -111
- package/dist/models-config.providers.discovery-Dc905FWG.d.ts +0 -18
- package/dist/moldclaw-root-D6PbhbZk.js +0 -88
- package/dist/monitor-BPYhkEqF.js +0 -782
- package/dist/monitor-BuTcQ24j.js +0 -3468
- package/dist/monitor-CuXvNhFh.js +0 -113
- package/dist/monitor-D-TqSIHF.js +0 -6823
- package/dist/monitor-DRSgo9u2.js +0 -3076
- package/dist/monitor-DcHch39z.js +0 -772
- package/dist/monitor-DsHBMrXp.js +0 -115
- package/dist/monitor-shared-CL8T4gt1.js +0 -444
- package/dist/msteams-7FMwTvQG.js +0 -852
- package/dist/node-cli-BCjaSCZM.js +0 -2503
- package/dist/node-resolve-D5Hvcgyx.js +0 -835
- package/dist/nodes-cli-Dd_SNbkt.js +0 -1380
- package/dist/nostr-DBTFTxKs.js +0 -8744
- package/dist/nostr-DLqaIuZx.d.ts +0 -7
- package/dist/npm-resolution-CYfb3MHG.js +0 -60
- package/dist/oauth-env-zPt5RywA.js +0 -10
- package/dist/onboard-BEFQQeig.js +0 -25
- package/dist/onboard-CJHNyxJh.js +0 -48
- package/dist/onboard-D_3UeLEN.js +0 -589
- package/dist/onboard-channels-B_JL0Djc.js +0 -1241
- package/dist/onboard-channels-CqZzHt2C.js +0 -205
- package/dist/onboard-custom-CER3Ggbq.js +0 -571
- package/dist/onboard-custom-bNRdGECb.js +0 -114
- package/dist/onboard-helpers-BK0Hsb7Y.js +0 -335
- package/dist/onboard-helpers-CXZ5RPoR.js +0 -113
- package/dist/onboard-hooks-1NsxEDjH.js +0 -72
- package/dist/onboard-remote-DuKhC_7W.js +0 -117
- package/dist/onboard-remote-OwRcDuB3.js +0 -181
- package/dist/onboard-search-Cy8dOq2W.js +0 -302
- package/dist/onboard-skills-D5phRa6r.js +0 -117
- package/dist/onboard-skills-c9qWCNe9.js +0 -133
- package/dist/outbound-media-CXKqTh2X.d.ts +0 -11
- package/dist/outbound-media-DYRO2vTD.js +0 -11
- package/dist/pairing-access-BwJu1mkk.d.ts +0 -21
- package/dist/pairing-cli-BOnv0TYn.js +0 -217
- package/dist/perplexity-EZwC3y2b.js +0 -24
- package/dist/persistent-dedupe-hNES5tS1.d.ts +0 -26
- package/dist/pi-model-discovery-runtime-BToY3A6K.js +0 -111
- package/dist/pi-tools.before-tool-call.runtime-D_acPtld.js +0 -381
- package/dist/plugin-install-CgJpSjYd.js +0 -184
- package/dist/plugin-install-Cl1A4EF6.js +0 -117
- package/dist/plugin-install-plan-Dc2Z4DeU.js +0 -49
- package/dist/plugin-registry-B1UaWrQD.js +0 -49
- package/dist/plugin-registry-Cy8biwnn.js +0 -113
- package/dist/plugins-CXwvg50F.js +0 -111
- package/dist/plugins-cli-Uvzp2aYV.js +0 -917
- package/dist/policy-DsMBbEe7.js +0 -143
- package/dist/preflight-audio.runtime-hWsZIYvc.js +0 -116
- package/dist/probe-CNsSf1Uf.js +0 -6329
- package/dist/probe-CqOIrPhb.js +0 -47
- package/dist/probe-DH6gDw-h.js +0 -129
- package/dist/probe-DM16PLf4.js +0 -21
- package/dist/probe-DvAEEWYr.js +0 -1793
- package/dist/probe-auth-COfgCble.js +0 -48
- package/dist/probe-auth-I_5TX1Eh.js +0 -40
- package/dist/program-Dz80sgTU.js +0 -253
- package/dist/prompt-select-styled-wQehwFxK.js +0 -2673
- package/dist/provider-api-key-auth.runtime-BR9GU4ya.js +0 -121
- package/dist/provider-auth-choice-CdhA84kr.js +0 -126
- package/dist/provider-auth-choice-helpers-kabp_0zA.js +0 -48
- package/dist/provider-auth-choice-preference-se3zAM_2.js +0 -189
- package/dist/provider-auth-choice.runtime-BMc8-xNQ.js +0 -123
- package/dist/provider-auth-choices-CYsCViGi.js +0 -57
- package/dist/provider-auth-guidance-CMjUWlNf.js +0 -34
- package/dist/provider-auth-result-5xgWoVGi.d.ts +0 -18
- package/dist/provider-models-BCId_Lfu.js +0 -2113
- package/dist/provider-models-D-eFl9oH.d.ts +0 -867
- package/dist/provider-ollama-setup-B6XJZ0So.js +0 -314
- package/dist/provider-ollama-setup-BF1vhob8.d.ts +0 -32
- package/dist/provider-onboard-BjXHP3IZ.d.ts +0 -40
- package/dist/provider-onboard-Ca0TaNud.js +0 -139
- package/dist/provider-runtime.runtime-DwwkHw_7.js +0 -111
- package/dist/provider-self-hosted-setup-BEKLVGpj.js +0 -182
- package/dist/provider-self-hosted-setup-BQ5BIlpi.d.ts +0 -61
- package/dist/provider-stream-DrUD69ai.js +0 -512
- package/dist/provider-usage-BgKHCnjr.js +0 -111
- package/dist/provider-usage-D8EZpFz9.js +0 -633
- package/dist/provider-wizard-DMdb-zj_.js +0 -152
- package/dist/push-apns-BPH6d4VV.js +0 -1038
- package/dist/pw-ai-DttfldtL.js +0 -1867
- package/dist/qmd-manager-CybcDUfk.js +0 -1570
- package/dist/qr-cli-8NcmJ8Ft.js +0 -369
- package/dist/qr-cli-DWe0Our3.js +0 -113
- package/dist/reactions-D6N0LR16.js +0 -281
- package/dist/read-only-account-inspect.discord.runtime-CqUWTRfl.js +0 -116
- package/dist/read-only-account-inspect.slack.runtime-9-jpln3q.js +0 -116
- package/dist/read-only-account-inspect.telegram.runtime-EKPI1D7n.js +0 -116
- package/dist/redact-snapshot-DwJEIVk9.js +0 -2663
- package/dist/register.agent-D3YdDirP.js +0 -439
- package/dist/register.backup-dR27qCuo.js +0 -625
- package/dist/register.configure-BjFhkkka.js +0 -252
- package/dist/register.maintenance-DiMQJIOa.js +0 -574
- package/dist/register.message-CdZsKYH1.js +0 -709
- package/dist/register.onboard-B0rV1eaO.js +0 -192
- package/dist/register.setup-wKMvohzo.js +0 -212
- package/dist/register.status-health-sessions-BJ68m6pt.js +0 -498
- package/dist/register.subclis-CnnrWt2a.js +0 -315
- package/dist/register.subclis-lSvTkC6z.js +0 -13
- package/dist/replies-BABt9b48.js +0 -110
- package/dist/resolve-channels-BqZFl2Ux.js +0 -262
- package/dist/resolve-channels-DjQLXb7B.js +0 -226
- package/dist/resolve-route-CSHDsa_m.js +0 -538
- package/dist/resolve-users-BG6HaSR5.js +0 -143
- package/dist/root-help-ohmaCyC_.js +0 -32
- package/dist/routes-4k2kpvoT.js +0 -7097
- package/dist/rpc-Cnwn4Q6L.js +0 -67
- package/dist/run-main-VYlacKA0.js +0 -424
- package/dist/runtime-Cy8pqYUB.d.ts +0 -26
- package/dist/runtime-discord-ops.runtime-DafrU-rI.js +0 -9078
- package/dist/runtime-slack-ops.runtime-CdXBKXwd.js +0 -4556
- package/dist/runtime-telegram-ops.runtime-B12sF7gE.js +0 -133
- package/dist/runtime-whatsapp-login.runtime-CqEudH37.js +0 -114
- package/dist/runtime-whatsapp-outbound.runtime-D5m2qyn-.js +0 -117
- package/dist/sandbox-cli-CHJiEWXB.js +0 -535
- package/dist/search-manager-BtNC3-i_.js +0 -16
- package/dist/search-manager-C7J7B3_a.js +0 -386
- package/dist/secrets-cli-C6yIWBbN.js +0 -2070
- package/dist/security-cli-BVu9BkjD.js +0 -575
- package/dist/send-BSreC7rr.js +0 -631
- package/dist/send-BsLHQG_B.js +0 -1025
- package/dist/send-BuNhp8PH.js +0 -283
- package/dist/send-DOCswVar.js +0 -100
- package/dist/send-Dl0LLErk.js +0 -629
- package/dist/server-node-events-Bq2067EG.js +0 -506
- package/dist/server-y38L7N5H.js +0 -107
- package/dist/sessions-BV8gXURR.js +0 -112
- package/dist/sessions-dl1Kc-Ci.js +0 -218
- package/dist/setup-DGszQH0_.js +0 -387
- package/dist/setup-DR5rRw9y.d.ts +0 -37
- package/dist/setup-binary-C17YnmA8.js +0 -406
- package/dist/setup-browser-CPx-nEsr.js +0 -70
- package/dist/setup-core-BByHN1ME.js +0 -143
- package/dist/setup-core-C0KPlBmL.js +0 -47
- package/dist/setup-core-Cq37G6of.js +0 -166
- package/dist/setup-core-uO84_Y75.js +0 -205
- package/dist/setup-surface-BEMi7Rmb.js +0 -490
- package/dist/setup-wizard-helpers-BtuGx_gN.d.ts +0 -203
- package/dist/setup.finalize-BzPBa8zW.js +0 -522
- package/dist/setup.gateway-config-DdwkF-8e.js +0 -343
- package/dist/shared-BCw4SKjB.js +0 -96
- package/dist/shared-CjNzsULP.js +0 -75
- package/dist/shared-Cu1BE7ZE.js +0 -298
- package/dist/shared-DSClmyUn.js +0 -182
- package/dist/shared-DyJdGH6y.js +0 -102
- package/dist/signal-Dyv4NZsB.js +0 -114
- package/dist/skills-CbB5b27M.js +0 -853
- package/dist/skills-CnfI7Szw.js +0 -20
- package/dist/skills-cli-CavB1f_3.js +0 -292
- package/dist/skills-install-B1OBdgd0.js +0 -763
- package/dist/skills-status-B3gAmIbW.js +0 -169
- package/dist/skills-status-DrHhFgU9.js +0 -21
- package/dist/slack-BRzqnoAz.js +0 -114
- package/dist/slash-commands.runtime-BK88kgds.js +0 -128
- package/dist/slash-dispatch.runtime-COGywwJE.js +0 -141
- package/dist/slash-skill-commands.runtime-Ti4brxgh.js +0 -116
- package/dist/src-DUR6OQxI.js +0 -1701
- package/dist/status-C6dgQY9a.js +0 -131
- package/dist/status-CNK0Q7QH.js +0 -606
- package/dist/status-DBcX0DSC.js +0 -43
- package/dist/status-DKgFgbwv.js +0 -1599
- package/dist/status-Wn5lhNAc.js +0 -126
- package/dist/status-json-D2EkWqAl.js +0 -288
- package/dist/status.link-channel-D3ULIdEa.js +0 -143
- package/dist/status.scan.deps.runtime-BsjWTAm4.js +0 -126
- package/dist/status.scan.runtime-D4HbzROD.js +0 -119
- package/dist/status.summary-C3YxPrDK.js +0 -592
- package/dist/status.summary.runtime-DAkXPSaK.js +0 -118
- package/dist/status.update-B4NnN9P1.js +0 -77
- package/dist/subagent-orphan-recovery-QiQEBv36.js +0 -307
- package/dist/subagent-registry-runtime-BJatPQFK.js +0 -111
- package/dist/subscription-BhZORXN9.js +0 -100
- package/dist/subscription-QEUjQRMv.js +0 -33
- package/dist/subscription-cli-HrULlAgc.js +0 -134
- package/dist/synology-chat-DB76GWMN.js +0 -297
- package/dist/system-cli-D8jDwWuL.js +0 -94
- package/dist/telegram-BHiiqKkQ.js +0 -114
- package/dist/text-chunking-Baonm9Lu.js +0 -84
- package/dist/text-chunking-Y3dPBOuZ.d.ts +0 -79
- package/dist/tlon-DLESxNgD.js +0 -433
- package/dist/tui-C75zi2Cl.js +0 -3834
- package/dist/tui-cli-DFwx5e6i.js +0 -137
- package/dist/types-BBJ3Qz7j.d.ts +0 -45
- package/dist/types-Ckufs_BY.d.ts +0 -22692
- package/dist/types.base-Cw0-zIvE.d.ts +0 -188
- package/dist/ui-B55NOIB6.js +0 -31
- package/dist/update--ojavYQ4.js +0 -1036
- package/dist/update-cli-Cvj5aWYM.js +0 -1503
- package/dist/update-offset-store-upatuWwX.js +0 -112
- package/dist/update-runner-DHkY_-76.js +0 -1496
- package/dist/upsert-with-lock-C171GLaR.js +0 -33
- package/dist/usage-N3bxnbmt.js +0 -115
- package/dist/web-RdvT7gKa.js +0 -112
- package/dist/web-shared-HSGD3yGt.d.ts +0 -45
- package/dist/webhook-request-guards-CosLyl01.d.ts +0 -76
- package/dist/webhook-targets-Bfnag-du.js +0 -181
- package/dist/webhook-targets-Di17rt8e.d.ts +0 -106
- package/dist/webhooks-cli-ZpnXrq7G.js +0 -350
- package/dist/whatsapp-DNTAyZHt.js +0 -114
- package/dist/whatsapp-actions-o1zKQzKZ.js +0 -167
- package/dist/workspace-CpWi5wPr.js +0 -479
- package/dist/workspace-Ii7aRS7c.js +0 -289
- package/dist/workspace-dirs-x10McA9t.js +0 -2003
- package/dist/zalo-BN3VCrRY.d.ts +0 -9
- package/dist/zalo-zm_bYCKg.js +0 -415
- package/dist/zalouser-CvVEUvc5.js +0 -30911
- /package/dist/{account-id-B3YSn4hl.d.ts → account-id-B8ce6G_4.d.ts} +0 -0
- /package/dist/{acpx-CnNv70m2.d.ts → acpx-Ci50I9T2.d.ts} +0 -0
- /package/dist/{agent-media-payload-DE2pEcsz.d.ts → agent-media-payload-en-gS5p6.d.ts} +0 -0
- /package/dist/{allow-from-DPpHnT2A.d.ts → allow-from-cMeQ47Ot.d.ts} +0 -0
- /package/dist/{allowlist-resolution-CLFiZ6nE.d.ts → allowlist-resolution-DoAWbfXV.d.ts} +0 -0
- /package/dist/{bluebubbles-Duhu-Jer.d.ts → bluebubbles-C6yYmUl0.d.ts} +0 -0
- /package/dist/{boolean-param-BhFjB3gp.d.ts → boolean-param-CdO2TFTk.d.ts} +0 -0
- /package/dist/{channel-config-schema-DnnVMdjR.d.ts → channel-config-schema-Chp38wel.d.ts} +0 -0
- /package/dist/{channel-policy-Baq-Z06b.d.ts → channel-policy-g2h6AbYQ.d.ts} +0 -0
- /package/dist/{chat-type-DpiBgwuG.d.ts → chat-type-BLt59pPT.d.ts} +0 -0
- /package/dist/{command-format-vi4xq8e8.d.ts → command-format-BDJC05Jp.d.ts} +0 -0
- /package/dist/{diffs-DK7fVSDo.d.ts → diffs-D_iNKCyn.d.ts} +0 -0
- /package/dist/{directory-runtime-BTLPaysA.d.ts → directory-runtime-DhMex6HY.d.ts} +0 -0
- /package/dist/{exec-C01wtBHu.d.ts → exec-pjfUY4KM.d.ts} +0 -0
- /package/dist/{gaxios-fetch-compat-wZ38b3w3.js → gaxios-fetch-compat-B_vtINdV.js} +0 -0
- /package/dist/{history-CwXuP2TW.d.ts → history-aqSS5VGQ.d.ts} +0 -0
- /package/dist/{inbound-envelope-SggrBs9m.d.ts → inbound-envelope-C5hWuZod.d.ts} +0 -0
- /package/dist/{index-apAZHsDo.d.ts → index-DXVQFYGX.d.ts} +0 -0
- /package/dist/{json-store-r75IZGk9.d.ts → json-store-UnqQ5aV3.d.ts} +0 -0
- /package/dist/{keyed-async-queue-DHIr7yNe.d.ts → keyed-async-queue-guucpLw3.d.ts} +0 -0
- /package/dist/{links-HeQ3r_L0.d.ts → links-Bar0meEK.d.ts} +0 -0
- /package/dist/{markdown-to-line-CDb4Jy3V.d.ts → markdown-to-line-D8uH_KOj.d.ts} +0 -0
- /package/dist/{mattermost-DtCsxpgg.d.ts → mattermost-xl7jAFJL.d.ts} +0 -0
- /package/dist/{net-BATPDwdQ.d.ts → net-rGOKGds6.d.ts} +0 -0
- /package/dist/{nextcloud-talk-Bb2wHOwp.d.ts → nextcloud-talk-De2CZ9dV.d.ts} +0 -0
- /package/dist/{oauth-utils-u567CLT0.d.ts → oauth-utils-DzN1AlEH.d.ts} +0 -0
- /package/dist/{parse-finite-number-l3tNlrZh.d.ts → parse-finite-number-odgyqhi0.d.ts} +0 -0
- /package/dist/{provider-usage.types-C6061OVN.d.ts → provider-usage.types-EDE9o-H_.d.ts} +0 -0
- /package/dist/{reply-history-BDsFnZFl.d.ts → reply-history-CVuU31xe.d.ts} +0 -0
- /package/dist/{reply-payload-CCvM4W9u.d.ts → reply-payload-CHkpBYwL.d.ts} +0 -0
- /package/dist/{request-url-C54l4-xC.d.ts → request-url-DHisbiHY.d.ts} +0 -0
- /package/dist/{run-command-D3RqWcHu.d.ts → run-command-y0Cndsb1.d.ts} +0 -0
- /package/dist/{secret-input-schema-BLBt-NAP.d.ts → secret-input-schema-b1vpYDQN.d.ts} +0 -0
- /package/dist/{session-key-BQ2-bR-9.d.ts → session-key-DTHQl57f.d.ts} +0 -0
- /package/dist/{ssh-config-C4mcH9Ly.js → ssh-config-hEHBfU2_.js} +0 -0
- /package/dist/{testing-DLkhGsoz.d.ts → testing-DszuZXgK.d.ts} +0 -0
- /package/dist/{thinking-DRkjX18p.d.ts → thinking-IwXTGSeT.d.ts} +0 -0
- /package/dist/{tool-send-CMMD1uDu.d.ts → tool-send-DWHRmKpz.d.ts} +0 -0
- /package/dist/{vllm-defaults-CcGuf4hL.d.ts → vllm-defaults-CrxZgE6-.d.ts} +0 -0
- /package/dist/{wait-Daog8bxM.d.ts → wait-wDWw_MTI.d.ts} +0 -0
- /package/dist/{webhook-memory-guards-C5MrExwT.d.ts → webhook-memory-guards-DreORuJy.d.ts} +0 -0
- /package/dist/{windows-spawn-j2l-dqu8.d.ts → windows-spawn-BIzH92x2.d.ts} +0 -0
- /package/dist/{zod-schema.agent-runtime-krMrBnIn.d.ts → zod-schema.agent-runtime-CP2rmis3.d.ts} +0 -0
- /package/dist/{zod-schema.core-BNDieZDZ.d.ts → zod-schema.core-Foi1tYwi.d.ts} +0 -0
|
@@ -0,0 +1,2503 @@
|
|
|
1
|
+
import "./redact-fatrROh9.js";
|
|
2
|
+
import "./errors-DOJWZqNo.js";
|
|
3
|
+
import "./unhandled-rejections-CTvNvnT0.js";
|
|
4
|
+
import "./logger-BFfIIIKH.js";
|
|
5
|
+
import { _ as resolveStateDir } from "./paths-D6AgsMTU.js";
|
|
6
|
+
import "./tmp-moldclaw-dir-DWF-d8qD.js";
|
|
7
|
+
import { r as theme, t as colorize } from "./theme-BSXzMzAA.js";
|
|
8
|
+
import "./globals-DESrFYmC.js";
|
|
9
|
+
import { n as defaultRuntime } from "./runtime-_tQz41uA.js";
|
|
10
|
+
import "./ansi-BPhP6LBZ.js";
|
|
11
|
+
import "./subsystem-CPmDTJ2P.js";
|
|
12
|
+
import "./boolean-B6zcAynR.js";
|
|
13
|
+
import "./env-D42cffog.js";
|
|
14
|
+
import "./warning-filter-B1UOeM0G.js";
|
|
15
|
+
import "./utils-C7ykRPCQ.js";
|
|
16
|
+
import { t as formatDocsLink } from "./links-BcahUP5U.js";
|
|
17
|
+
import "./setup-binary-CcAv8NXz.js";
|
|
18
|
+
import { Gd as formatExecCommand, Kd as resolveSystemRunCommandRequest, Zd as normalizeSystemRunApprovalPlan, df as resolveExecSafeBinRuntimePolicy, lf as isInterpreterLikeSafeBin, lh as getMachineDisplayName, tl as withTimeout } from "./auth-profiles-smABVXzp.js";
|
|
19
|
+
import "./model-selection-bBBxfXdb.js";
|
|
20
|
+
import { i as resolveAgentConfig } from "./agent-scope-lZlwP1At.js";
|
|
21
|
+
import "./boundary-file-read-tPYh_8fH.js";
|
|
22
|
+
import { n as sameFileIdentity } from "./safe-open-sync-BmiTH5-j.js";
|
|
23
|
+
import { a as logWarn } from "./logger-BGzLUitz.js";
|
|
24
|
+
import "./exec-CvEtXqTZ.js";
|
|
25
|
+
import "./workspace-DJ_S272u.js";
|
|
26
|
+
import { At as resolvePlannedSegmentArgv, Bt as POSIX_SHELL_WRAPPERS, Jt as unwrapKnownDispatchWrapperInvocation, Kt as normalizeExecutableToken, Qt as resolveInlineCommandMatch, Rt as resolveCommandResolutionFromArgv, Xt as POSIX_INLINE_COMMAND_FLAGS, Yt as unwrapKnownShellMultiplexerInvocation, c as loadConfig, wt as analyzeArgvCommand, zt as resolveExecutableFromPathEnv } from "./io-BaBxjB1v.js";
|
|
27
|
+
import { a as sanitizeSystemRunEnvOverrides, i as sanitizeHostExecEnv } from "./host-env-security-DQ2i_W12.js";
|
|
28
|
+
import "./safe-text-Cnulee_z.js";
|
|
29
|
+
import { n as VERSION } from "./version-T8nMYUnU.js";
|
|
30
|
+
import "./env-substitution-68cyvF5h.js";
|
|
31
|
+
import "./config-state-h5jUoHya.js";
|
|
32
|
+
import "./network-mode-BtWXzwYn.js";
|
|
33
|
+
import { t as splitShellArgs } from "./shell-argv-BtTDCBSt.js";
|
|
34
|
+
import "./registry-C1pRrsQl.js";
|
|
35
|
+
import "./manifest-registry-CS_p1OBQ.js";
|
|
36
|
+
import "./ip-C4YAIpr4.js";
|
|
37
|
+
import "./zod-schema.core-DvwgNmpd.js";
|
|
38
|
+
import "./config-CwBv71QC.js";
|
|
39
|
+
import "./audit-fs-CMb-YUHX.js";
|
|
40
|
+
import "./resolve-PSlwZjg3.js";
|
|
41
|
+
import "./provider-web-search-CcUC9ktE.js";
|
|
42
|
+
import "./text-runtime-Cfq-Uyx0.js";
|
|
43
|
+
import "./workspace-dirs-CGeIPpGN.js";
|
|
44
|
+
import { n as resolveBrowserConfig } from "./config-BwkGZjD5.js";
|
|
45
|
+
import { t as formatCliCommand } from "./command-format-C_z0Ru-7.js";
|
|
46
|
+
import "./tailnet-fFTz5Twr.js";
|
|
47
|
+
import "./net-K181nxTH.js";
|
|
48
|
+
import "./credentials-D-5Pb-aZ.js";
|
|
49
|
+
import { _ as startBrowserControlServiceFromConfig, f as redactCdpUrl, g as createBrowserControlContext, h as createBrowserRouteDispatcher } from "./routes-CcJNnwTF.js";
|
|
50
|
+
import "./frontmatter-Cgg0ICvh.js";
|
|
51
|
+
import "./env-overrides-DBQl3LRc.js";
|
|
52
|
+
import "./path-alias-guards-BtSO7sk7.js";
|
|
53
|
+
import "./skills-DE_MXFSN.js";
|
|
54
|
+
import { r as writeJsonAtomic } from "./json-files-B9YQFF4Z.js";
|
|
55
|
+
import "./ports-Ca74cFb2.js";
|
|
56
|
+
import "./ports-lsof-CoiADo0p.js";
|
|
57
|
+
import "./ssh-tunnel-DsY-9yao.js";
|
|
58
|
+
import "./image-ops-Ck_D_vpe.js";
|
|
59
|
+
import "./fs-safe-CRXFoBmh.js";
|
|
60
|
+
import { t as detectMime } from "./mime-DGFQe4XX.js";
|
|
61
|
+
import "./server-middleware-Djfoa1s0.js";
|
|
62
|
+
import { _ as GATEWAY_CLIENT_MODES, v as GATEWAY_CLIENT_NAMES } from "./message-channel-DFE4FuE_.js";
|
|
63
|
+
import "./resolve-route-DdX-HBVt.js";
|
|
64
|
+
import "./internal-hooks-83AcmxP3.js";
|
|
65
|
+
import "./lazy-runtime-BoGB4usD.js";
|
|
66
|
+
import "./config-schema-BNU4GQh_.js";
|
|
67
|
+
import { u as GatewayClient } from "./method-scopes-B2ZKSsxQ.js";
|
|
68
|
+
import "./session-cost-usage-DWgQk6XT.js";
|
|
69
|
+
import "./paths-ApLcu1Uu.js";
|
|
70
|
+
import "./routing-DQ-fpTaA.js";
|
|
71
|
+
import "./send-B1pX9_Oc.js";
|
|
72
|
+
import { E as evaluateShellAllowlist, T as evaluateExecAllowlist, _ as recordAllowlistUse, b as resolveExecApprovals, f as normalizeExecApprovals, g as readExecApprovalsSnapshot, j as requestJsonlSocket, k as resolveAllowAlwaysPatterns, o as addAllowlistEntry, s as ensureExecApprovals, u as mergeExecApprovalsSocketDefaults, w as saveExecApprovals, y as requiresExecApproval } from "./node-resolve-BYC2FbO2.js";
|
|
73
|
+
import "./provider-stream-Chz_EFw3.js";
|
|
74
|
+
import "./identity-file-Diub2a0t.js";
|
|
75
|
+
import "./provider-models-xnyxy6mO.js";
|
|
76
|
+
import "./secret-file-p1IhQzwJ.js";
|
|
77
|
+
import "./logging-Dy7UYzIN.js";
|
|
78
|
+
import "./runtime-env-BlEtPF6b.js";
|
|
79
|
+
import "./registry-BFMbkmgR.js";
|
|
80
|
+
import "./provider-onboard-B9ionepI.js";
|
|
81
|
+
import "./model-definitions-Cyyzm6Kr.js";
|
|
82
|
+
import "./usage-Czgwvg0h.js";
|
|
83
|
+
import { n as loadOrCreateDeviceIdentity } from "./device-identity-IG5DngWM.js";
|
|
84
|
+
import "./auth-Ch3Rchm4.js";
|
|
85
|
+
import "./subscription-DaA1urx-.js";
|
|
86
|
+
import "./diagnostic-DTPopFvh.js";
|
|
87
|
+
import "./message-hook-mappers-CeiHXgSQ.js";
|
|
88
|
+
import "./json-store--7cBPxTG.js";
|
|
89
|
+
import "./call-gdDAt07d.js";
|
|
90
|
+
import "./multimodal-BJBBn_4F.js";
|
|
91
|
+
import "./memory-search-tTD5o_rU.js";
|
|
92
|
+
import "./query-expansion-D_Mm5Hhi.js";
|
|
93
|
+
import "./search-manager-BS5Db0A6.js";
|
|
94
|
+
import "./core-BwKq3krw.js";
|
|
95
|
+
import "./issue-format-B0SI57Es.js";
|
|
96
|
+
import "./logging-CdisccbY.js";
|
|
97
|
+
import "./note-dOl5kPAy.js";
|
|
98
|
+
import "./state-paths-DsMoTg25.js";
|
|
99
|
+
import "./config-value-DT3-5958.js";
|
|
100
|
+
import "./command-secret-targets-BFF4x_RB.js";
|
|
101
|
+
import "./brave-w4Fo8WZ3.js";
|
|
102
|
+
import "./provider-usage-kxemdMp2.js";
|
|
103
|
+
import "./perplexity-CXwMDD3u.js";
|
|
104
|
+
import { _ as resolveNodeWindowsTaskName, c as formatNodeServiceDescription, g as resolveNodeSystemdServiceName, h as resolveNodeLaunchAgentLabel } from "./constants-BHwb0DmS.js";
|
|
105
|
+
import "./restart-stale-pids-CPF1_61W.js";
|
|
106
|
+
import "./delivery-queue-BOf5wYIc.js";
|
|
107
|
+
import "./pairing-token-bu1e6z6X.js";
|
|
108
|
+
import "./accounts-J2OhhhQi.js";
|
|
109
|
+
import "./process-runtime-D27SftX_.js";
|
|
110
|
+
import "./audit-CpfSjvyo.js";
|
|
111
|
+
import "./cli-runtime-DTCHPjCi.js";
|
|
112
|
+
import "./cli-utils-BCuSS4l6.js";
|
|
113
|
+
import { t as formatHelpExamples } from "./help-format-BFzPm_8V.js";
|
|
114
|
+
import "./progress-Cwq59vgZ.js";
|
|
115
|
+
import { n as resolveGatewayConnectionAuth } from "./gateway-runtime-CBm3CCoA.js";
|
|
116
|
+
import { i as resolveNodeProgramArguments, n as resolveDaemonInstallRuntimeInputs, t as emitDaemonInstallRuntimeWarning } from "./daemon-install-plan.shared-so6KadNd.js";
|
|
117
|
+
import { c as buildNodeServiceEnvironment } from "./runtime-paths-BfFqPvDh.js";
|
|
118
|
+
import "./runtime-guard-BpWoE02v.js";
|
|
119
|
+
import { r as isGatewayDaemonRuntime, t as DEFAULT_GATEWAY_DAEMON_RUNTIME } from "./daemon-runtime-BR9EstPe.js";
|
|
120
|
+
import "./runtime-parse--SHudmXO.js";
|
|
121
|
+
import "./launchd-DTK8FAln.js";
|
|
122
|
+
import "./service-D-iBQb7Y.js";
|
|
123
|
+
import "./systemd-C3JL-Eyf.js";
|
|
124
|
+
import { f as buildDaemonServiceSnapshot, h as installDaemonServiceAndEmit, n as createDaemonInstallActionContext, r as failIfNixDaemonInstallMode, t as createCliStatusTextStyles, u as resolveRuntimeStatusColor } from "./shared-BqaB7e0a.js";
|
|
125
|
+
import { c as buildPlatformRuntimeLogHints, l as buildPlatformServiceStartHints, u as formatRuntimeStatus } from "./systemd-hints-DabP9g6b.js";
|
|
126
|
+
import { t as parsePort } from "./parse-port-CoUFaR8Z.js";
|
|
127
|
+
import { i as runServiceUninstall, r as runServiceStop, t as runServiceRestart } from "./lifecycle-core-Dn8PK6nk.js";
|
|
128
|
+
import { t as ensuremoldClawCliOnPath } from "./path-env-DnnsnURr.js";
|
|
129
|
+
import { i as NODE_SYSTEM_RUN_COMMANDS, n as NODE_EXEC_APPROVALS_COMMANDS, t as NODE_BROWSER_PROXY_COMMAND } from "./node-commands-6-IPQsnR.js";
|
|
130
|
+
import { t as resolveNodeService } from "./node-service-D1P2CBtD.js";
|
|
131
|
+
import fs from "node:fs";
|
|
132
|
+
import path from "node:path";
|
|
133
|
+
import { spawn, spawnSync } from "node:child_process";
|
|
134
|
+
import fs$1 from "node:fs/promises";
|
|
135
|
+
import crypto from "node:crypto";
|
|
136
|
+
//#region src/node-host/config.ts
|
|
137
|
+
const NODE_HOST_FILE = "node.json";
|
|
138
|
+
function resolveNodeHostConfigPath() {
|
|
139
|
+
return path.join(resolveStateDir(), NODE_HOST_FILE);
|
|
140
|
+
}
|
|
141
|
+
function normalizeConfig(config) {
|
|
142
|
+
const base = {
|
|
143
|
+
version: 1,
|
|
144
|
+
nodeId: "",
|
|
145
|
+
token: config?.token,
|
|
146
|
+
displayName: config?.displayName,
|
|
147
|
+
gateway: config?.gateway
|
|
148
|
+
};
|
|
149
|
+
if (config?.version === 1 && typeof config.nodeId === "string") base.nodeId = config.nodeId.trim();
|
|
150
|
+
if (!base.nodeId) base.nodeId = crypto.randomUUID();
|
|
151
|
+
return base;
|
|
152
|
+
}
|
|
153
|
+
async function loadNodeHostConfig() {
|
|
154
|
+
const filePath = resolveNodeHostConfigPath();
|
|
155
|
+
try {
|
|
156
|
+
const raw = await fs$1.readFile(filePath, "utf8");
|
|
157
|
+
return normalizeConfig(JSON.parse(raw));
|
|
158
|
+
} catch {
|
|
159
|
+
return null;
|
|
160
|
+
}
|
|
161
|
+
}
|
|
162
|
+
async function saveNodeHostConfig(config) {
|
|
163
|
+
await writeJsonAtomic(resolveNodeHostConfigPath(), config, { mode: 384 });
|
|
164
|
+
}
|
|
165
|
+
async function ensureNodeHostConfig() {
|
|
166
|
+
const normalized = normalizeConfig(await loadNodeHostConfig());
|
|
167
|
+
await saveNodeHostConfig(normalized);
|
|
168
|
+
return normalized;
|
|
169
|
+
}
|
|
170
|
+
//#endregion
|
|
171
|
+
//#region src/infra/exec-host.ts
|
|
172
|
+
async function requestExecHostViaSocket(params) {
|
|
173
|
+
const { socketPath, token, request } = params;
|
|
174
|
+
if (!socketPath || !token) return null;
|
|
175
|
+
const timeoutMs = params.timeoutMs ?? 2e4;
|
|
176
|
+
const requestJson = JSON.stringify(request);
|
|
177
|
+
const nonce = crypto.randomBytes(16).toString("hex");
|
|
178
|
+
const ts = Date.now();
|
|
179
|
+
const hmac = crypto.createHmac("sha256", token).update(`${nonce}:${ts}:${requestJson}`).digest("hex");
|
|
180
|
+
return await requestJsonlSocket({
|
|
181
|
+
socketPath,
|
|
182
|
+
payload: JSON.stringify({
|
|
183
|
+
type: "exec",
|
|
184
|
+
id: crypto.randomUUID(),
|
|
185
|
+
nonce,
|
|
186
|
+
ts,
|
|
187
|
+
hmac,
|
|
188
|
+
requestJson
|
|
189
|
+
}),
|
|
190
|
+
timeoutMs,
|
|
191
|
+
accept: (value) => {
|
|
192
|
+
const msg = value;
|
|
193
|
+
if (msg?.type !== "exec-res") return;
|
|
194
|
+
if (msg.ok === true && msg.payload) return {
|
|
195
|
+
ok: true,
|
|
196
|
+
payload: msg.payload
|
|
197
|
+
};
|
|
198
|
+
if (msg.ok === false && msg.error) return {
|
|
199
|
+
ok: false,
|
|
200
|
+
error: msg.error
|
|
201
|
+
};
|
|
202
|
+
return null;
|
|
203
|
+
}
|
|
204
|
+
});
|
|
205
|
+
}
|
|
206
|
+
//#endregion
|
|
207
|
+
//#region src/node-host/invoke-browser.ts
|
|
208
|
+
const BROWSER_PROXY_MAX_FILE_BYTES = 10 * 1024 * 1024;
|
|
209
|
+
const DEFAULT_BROWSER_PROXY_TIMEOUT_MS = 2e4;
|
|
210
|
+
const BROWSER_PROXY_STATUS_TIMEOUT_MS = 750;
|
|
211
|
+
function normalizeProfileAllowlist(raw) {
|
|
212
|
+
return Array.isArray(raw) ? raw.map((entry) => entry.trim()).filter(Boolean) : [];
|
|
213
|
+
}
|
|
214
|
+
function resolveBrowserProxyConfig() {
|
|
215
|
+
const proxy = loadConfig().nodeHost?.browserProxy;
|
|
216
|
+
const allowProfiles = normalizeProfileAllowlist(proxy?.allowProfiles);
|
|
217
|
+
return {
|
|
218
|
+
enabled: proxy?.enabled !== false,
|
|
219
|
+
allowProfiles
|
|
220
|
+
};
|
|
221
|
+
}
|
|
222
|
+
let browserControlReady = null;
|
|
223
|
+
async function ensureBrowserControlService() {
|
|
224
|
+
if (browserControlReady) return browserControlReady;
|
|
225
|
+
browserControlReady = (async () => {
|
|
226
|
+
const cfg = loadConfig();
|
|
227
|
+
if (!resolveBrowserConfig(cfg.browser, cfg).enabled) throw new Error("browser control disabled");
|
|
228
|
+
if (!await startBrowserControlServiceFromConfig()) throw new Error("browser control disabled");
|
|
229
|
+
})();
|
|
230
|
+
return browserControlReady;
|
|
231
|
+
}
|
|
232
|
+
function isProfileAllowed(params) {
|
|
233
|
+
const { allowProfiles, profile } = params;
|
|
234
|
+
if (!allowProfiles.length) return true;
|
|
235
|
+
if (!profile) return false;
|
|
236
|
+
return allowProfiles.includes(profile.trim());
|
|
237
|
+
}
|
|
238
|
+
function collectBrowserProxyPaths(payload) {
|
|
239
|
+
const paths = /* @__PURE__ */ new Set();
|
|
240
|
+
const obj = typeof payload === "object" && payload !== null ? payload : null;
|
|
241
|
+
if (!obj) return [];
|
|
242
|
+
if (typeof obj.path === "string" && obj.path.trim()) paths.add(obj.path.trim());
|
|
243
|
+
if (typeof obj.imagePath === "string" && obj.imagePath.trim()) paths.add(obj.imagePath.trim());
|
|
244
|
+
const download = obj.download;
|
|
245
|
+
if (download && typeof download === "object") {
|
|
246
|
+
const dlPath = download.path;
|
|
247
|
+
if (typeof dlPath === "string" && dlPath.trim()) paths.add(dlPath.trim());
|
|
248
|
+
}
|
|
249
|
+
return [...paths];
|
|
250
|
+
}
|
|
251
|
+
async function readBrowserProxyFile(filePath) {
|
|
252
|
+
const stat = await fs$1.stat(filePath).catch(() => null);
|
|
253
|
+
if (!stat || !stat.isFile()) return null;
|
|
254
|
+
if (stat.size > BROWSER_PROXY_MAX_FILE_BYTES) throw new Error(`browser proxy file exceeds ${Math.round(BROWSER_PROXY_MAX_FILE_BYTES / (1024 * 1024))}MB`);
|
|
255
|
+
const buffer = await fs$1.readFile(filePath);
|
|
256
|
+
const mimeType = await detectMime({
|
|
257
|
+
buffer,
|
|
258
|
+
filePath
|
|
259
|
+
});
|
|
260
|
+
return {
|
|
261
|
+
path: filePath,
|
|
262
|
+
base64: buffer.toString("base64"),
|
|
263
|
+
mimeType
|
|
264
|
+
};
|
|
265
|
+
}
|
|
266
|
+
function decodeParams$1(raw) {
|
|
267
|
+
if (!raw) throw new Error("INVALID_REQUEST: paramsJSON required");
|
|
268
|
+
return JSON.parse(raw);
|
|
269
|
+
}
|
|
270
|
+
function resolveBrowserProxyTimeout(timeoutMs) {
|
|
271
|
+
return typeof timeoutMs === "number" && Number.isFinite(timeoutMs) ? Math.max(1, Math.floor(timeoutMs)) : DEFAULT_BROWSER_PROXY_TIMEOUT_MS;
|
|
272
|
+
}
|
|
273
|
+
function isBrowserProxyTimeoutError(err) {
|
|
274
|
+
return String(err).includes("browser proxy request timed out");
|
|
275
|
+
}
|
|
276
|
+
function isWsBackedBrowserProxyPath(path) {
|
|
277
|
+
return path === "/act" || path === "/navigate" || path === "/pdf" || path === "/screenshot" || path === "/snapshot";
|
|
278
|
+
}
|
|
279
|
+
async function readBrowserProxyStatus(params) {
|
|
280
|
+
const query = params.profile ? { profile: params.profile } : {};
|
|
281
|
+
try {
|
|
282
|
+
const response = await withTimeout((signal) => params.dispatcher.dispatch({
|
|
283
|
+
method: "GET",
|
|
284
|
+
path: "/",
|
|
285
|
+
query,
|
|
286
|
+
signal
|
|
287
|
+
}), BROWSER_PROXY_STATUS_TIMEOUT_MS, "browser proxy status");
|
|
288
|
+
if (response.status >= 400 || !response.body || typeof response.body !== "object") return null;
|
|
289
|
+
const body = response.body;
|
|
290
|
+
return {
|
|
291
|
+
running: body.running,
|
|
292
|
+
transport: body.transport,
|
|
293
|
+
cdpHttp: body.cdpHttp,
|
|
294
|
+
cdpReady: body.cdpReady,
|
|
295
|
+
cdpUrl: body.cdpUrl
|
|
296
|
+
};
|
|
297
|
+
} catch {
|
|
298
|
+
return null;
|
|
299
|
+
}
|
|
300
|
+
}
|
|
301
|
+
function formatBrowserProxyTimeoutMessage(params) {
|
|
302
|
+
const parts = [`browser proxy timed out for ${params.method} ${params.path} after ${params.timeoutMs}ms`, params.wsBacked ? "ws-backed browser action" : "browser action"];
|
|
303
|
+
if (params.profile) parts.push(`profile=${params.profile}`);
|
|
304
|
+
if (params.status) {
|
|
305
|
+
const statusParts = [
|
|
306
|
+
`running=${String(params.status.running)}`,
|
|
307
|
+
`cdpHttp=${String(params.status.cdpHttp)}`,
|
|
308
|
+
`cdpReady=${String(params.status.cdpReady)}`
|
|
309
|
+
];
|
|
310
|
+
if (typeof params.status.transport === "string" && params.status.transport.trim()) statusParts.push(`transport=${params.status.transport}`);
|
|
311
|
+
if (typeof params.status.cdpUrl === "string" && params.status.cdpUrl.trim()) statusParts.push(`cdpUrl=${redactCdpUrl(params.status.cdpUrl)}`);
|
|
312
|
+
parts.push(`status(${statusParts.join(", ")})`);
|
|
313
|
+
}
|
|
314
|
+
return parts.join("; ");
|
|
315
|
+
}
|
|
316
|
+
async function runBrowserProxyCommand(paramsJSON) {
|
|
317
|
+
const params = decodeParams$1(paramsJSON);
|
|
318
|
+
const pathValue = typeof params.path === "string" ? params.path.trim() : "";
|
|
319
|
+
if (!pathValue) throw new Error("INVALID_REQUEST: path required");
|
|
320
|
+
const proxyConfig = resolveBrowserProxyConfig();
|
|
321
|
+
if (!proxyConfig.enabled) throw new Error("UNAVAILABLE: node browser proxy disabled");
|
|
322
|
+
await ensureBrowserControlService();
|
|
323
|
+
const cfg = loadConfig();
|
|
324
|
+
const resolved = resolveBrowserConfig(cfg.browser, cfg);
|
|
325
|
+
const requestedProfile = typeof params.profile === "string" ? params.profile.trim() : "";
|
|
326
|
+
const allowedProfiles = proxyConfig.allowProfiles;
|
|
327
|
+
if (allowedProfiles.length > 0) {
|
|
328
|
+
if (pathValue !== "/profiles") {
|
|
329
|
+
if (!isProfileAllowed({
|
|
330
|
+
allowProfiles: allowedProfiles,
|
|
331
|
+
profile: requestedProfile || resolved.defaultProfile
|
|
332
|
+
})) throw new Error("INVALID_REQUEST: browser profile not allowed");
|
|
333
|
+
} else if (requestedProfile) {
|
|
334
|
+
if (!isProfileAllowed({
|
|
335
|
+
allowProfiles: allowedProfiles,
|
|
336
|
+
profile: requestedProfile
|
|
337
|
+
})) throw new Error("INVALID_REQUEST: browser profile not allowed");
|
|
338
|
+
}
|
|
339
|
+
}
|
|
340
|
+
const method = typeof params.method === "string" ? params.method.toUpperCase() : "GET";
|
|
341
|
+
const path = pathValue.startsWith("/") ? pathValue : `/${pathValue}`;
|
|
342
|
+
const body = params.body;
|
|
343
|
+
const timeoutMs = resolveBrowserProxyTimeout(params.timeoutMs);
|
|
344
|
+
const query = {};
|
|
345
|
+
if (requestedProfile) query.profile = requestedProfile;
|
|
346
|
+
const rawQuery = params.query ?? {};
|
|
347
|
+
for (const [key, value] of Object.entries(rawQuery)) {
|
|
348
|
+
if (value === void 0 || value === null) continue;
|
|
349
|
+
query[key] = typeof value === "string" ? value : String(value);
|
|
350
|
+
}
|
|
351
|
+
const dispatcher = createBrowserRouteDispatcher(createBrowserControlContext());
|
|
352
|
+
let response;
|
|
353
|
+
try {
|
|
354
|
+
response = await withTimeout((signal) => dispatcher.dispatch({
|
|
355
|
+
method: method === "DELETE" ? "DELETE" : method === "POST" ? "POST" : "GET",
|
|
356
|
+
path,
|
|
357
|
+
query,
|
|
358
|
+
body,
|
|
359
|
+
signal
|
|
360
|
+
}), timeoutMs, "browser proxy request");
|
|
361
|
+
} catch (err) {
|
|
362
|
+
if (!isBrowserProxyTimeoutError(err)) throw err;
|
|
363
|
+
const profileForStatus = requestedProfile || resolved.defaultProfile;
|
|
364
|
+
const status = await readBrowserProxyStatus({
|
|
365
|
+
dispatcher,
|
|
366
|
+
profile: path === "/profiles" ? void 0 : profileForStatus
|
|
367
|
+
});
|
|
368
|
+
throw new Error(formatBrowserProxyTimeoutMessage({
|
|
369
|
+
method,
|
|
370
|
+
path,
|
|
371
|
+
profile: path === "/profiles" ? void 0 : profileForStatus || void 0,
|
|
372
|
+
timeoutMs,
|
|
373
|
+
wsBacked: isWsBackedBrowserProxyPath(path),
|
|
374
|
+
status
|
|
375
|
+
}), { cause: err });
|
|
376
|
+
}
|
|
377
|
+
if (response.status >= 400) {
|
|
378
|
+
const message = response.body && typeof response.body === "object" && "error" in response.body ? String(response.body.error) : `HTTP ${response.status}`;
|
|
379
|
+
throw new Error(message);
|
|
380
|
+
}
|
|
381
|
+
const result = response.body;
|
|
382
|
+
if (allowedProfiles.length > 0 && path === "/profiles") {
|
|
383
|
+
const obj = typeof result === "object" && result !== null ? result : {};
|
|
384
|
+
obj.profiles = (Array.isArray(obj.profiles) ? obj.profiles : []).filter((entry) => {
|
|
385
|
+
if (!entry || typeof entry !== "object") return false;
|
|
386
|
+
const name = entry.name;
|
|
387
|
+
return typeof name === "string" && allowedProfiles.includes(name);
|
|
388
|
+
});
|
|
389
|
+
}
|
|
390
|
+
let files;
|
|
391
|
+
const paths = collectBrowserProxyPaths(result);
|
|
392
|
+
if (paths.length > 0) {
|
|
393
|
+
const loaded = await Promise.all(paths.map(async (p) => {
|
|
394
|
+
try {
|
|
395
|
+
const file = await readBrowserProxyFile(p);
|
|
396
|
+
if (!file) throw new Error("file not found");
|
|
397
|
+
return file;
|
|
398
|
+
} catch (err) {
|
|
399
|
+
throw new Error(`browser proxy file read failed for ${p}: ${String(err)}`, { cause: err });
|
|
400
|
+
}
|
|
401
|
+
}));
|
|
402
|
+
if (loaded.length > 0) files = loaded;
|
|
403
|
+
}
|
|
404
|
+
const payload = files ? {
|
|
405
|
+
result,
|
|
406
|
+
files
|
|
407
|
+
} : { result };
|
|
408
|
+
return JSON.stringify(payload);
|
|
409
|
+
}
|
|
410
|
+
//#endregion
|
|
411
|
+
//#region src/node-host/exec-policy.ts
|
|
412
|
+
function resolveExecApprovalDecision(value) {
|
|
413
|
+
if (value === "allow-once" || value === "allow-always") return value;
|
|
414
|
+
return null;
|
|
415
|
+
}
|
|
416
|
+
function formatSystemRunAllowlistMissMessage(params) {
|
|
417
|
+
if (params?.windowsShellWrapperBlocked) return "SYSTEM_RUN_DENIED: allowlist miss (Windows shell wrappers like cmd.exe /c require approval; approve once/always or run with --ask on-miss|always)";
|
|
418
|
+
if (params?.shellWrapperBlocked) return "SYSTEM_RUN_DENIED: allowlist miss (shell wrappers like sh/bash/zsh -c require approval; approve once/always or run with --ask on-miss|always)";
|
|
419
|
+
return "SYSTEM_RUN_DENIED: allowlist miss";
|
|
420
|
+
}
|
|
421
|
+
function evaluateSystemRunPolicy(params) {
|
|
422
|
+
const shellWrapperBlocked = params.security === "allowlist" && params.shellWrapperInvocation;
|
|
423
|
+
const windowsShellWrapperBlocked = shellWrapperBlocked && params.isWindows && params.cmdInvocation;
|
|
424
|
+
const analysisOk = shellWrapperBlocked ? false : params.analysisOk;
|
|
425
|
+
const allowlistSatisfied = shellWrapperBlocked ? false : params.allowlistSatisfied;
|
|
426
|
+
const approvedByAsk = params.approvalDecision !== null || params.approved === true;
|
|
427
|
+
if (params.security === "deny") return {
|
|
428
|
+
allowed: false,
|
|
429
|
+
eventReason: "security=deny",
|
|
430
|
+
errorMessage: "SYSTEM_RUN_DISABLED: security=deny",
|
|
431
|
+
analysisOk,
|
|
432
|
+
allowlistSatisfied,
|
|
433
|
+
shellWrapperBlocked,
|
|
434
|
+
windowsShellWrapperBlocked,
|
|
435
|
+
requiresAsk: false,
|
|
436
|
+
approvalDecision: params.approvalDecision,
|
|
437
|
+
approvedByAsk
|
|
438
|
+
};
|
|
439
|
+
const requiresAsk = requiresExecApproval({
|
|
440
|
+
ask: params.ask,
|
|
441
|
+
security: params.security,
|
|
442
|
+
analysisOk,
|
|
443
|
+
allowlistSatisfied
|
|
444
|
+
});
|
|
445
|
+
if (requiresAsk && !approvedByAsk) return {
|
|
446
|
+
allowed: false,
|
|
447
|
+
eventReason: "approval-required",
|
|
448
|
+
errorMessage: "SYSTEM_RUN_DENIED: approval required",
|
|
449
|
+
analysisOk,
|
|
450
|
+
allowlistSatisfied,
|
|
451
|
+
shellWrapperBlocked,
|
|
452
|
+
windowsShellWrapperBlocked,
|
|
453
|
+
requiresAsk,
|
|
454
|
+
approvalDecision: params.approvalDecision,
|
|
455
|
+
approvedByAsk
|
|
456
|
+
};
|
|
457
|
+
if (params.security === "allowlist" && (!analysisOk || !allowlistSatisfied) && !approvedByAsk) return {
|
|
458
|
+
allowed: false,
|
|
459
|
+
eventReason: "allowlist-miss",
|
|
460
|
+
errorMessage: formatSystemRunAllowlistMissMessage({
|
|
461
|
+
shellWrapperBlocked,
|
|
462
|
+
windowsShellWrapperBlocked
|
|
463
|
+
}),
|
|
464
|
+
analysisOk,
|
|
465
|
+
allowlistSatisfied,
|
|
466
|
+
shellWrapperBlocked,
|
|
467
|
+
windowsShellWrapperBlocked,
|
|
468
|
+
requiresAsk,
|
|
469
|
+
approvalDecision: params.approvalDecision,
|
|
470
|
+
approvedByAsk
|
|
471
|
+
};
|
|
472
|
+
return {
|
|
473
|
+
allowed: true,
|
|
474
|
+
analysisOk,
|
|
475
|
+
allowlistSatisfied,
|
|
476
|
+
shellWrapperBlocked,
|
|
477
|
+
windowsShellWrapperBlocked,
|
|
478
|
+
requiresAsk,
|
|
479
|
+
approvalDecision: params.approvalDecision,
|
|
480
|
+
approvedByAsk
|
|
481
|
+
};
|
|
482
|
+
}
|
|
483
|
+
//#endregion
|
|
484
|
+
//#region src/node-host/invoke-system-run-allowlist.ts
|
|
485
|
+
function evaluateSystemRunAllowlist(params) {
|
|
486
|
+
if (params.shellCommand) {
|
|
487
|
+
const allowlistEval = evaluateShellAllowlist({
|
|
488
|
+
command: params.shellCommand,
|
|
489
|
+
allowlist: params.approvals.allowlist,
|
|
490
|
+
safeBins: params.safeBins,
|
|
491
|
+
safeBinProfiles: params.safeBinProfiles,
|
|
492
|
+
cwd: params.cwd,
|
|
493
|
+
env: params.env,
|
|
494
|
+
trustedSafeBinDirs: params.trustedSafeBinDirs,
|
|
495
|
+
skillBins: params.skillBins,
|
|
496
|
+
autoAllowSkills: params.autoAllowSkills,
|
|
497
|
+
platform: process.platform
|
|
498
|
+
});
|
|
499
|
+
return {
|
|
500
|
+
analysisOk: allowlistEval.analysisOk,
|
|
501
|
+
allowlistMatches: allowlistEval.allowlistMatches,
|
|
502
|
+
allowlistSatisfied: params.security === "allowlist" && allowlistEval.analysisOk ? allowlistEval.allowlistSatisfied : false,
|
|
503
|
+
segments: allowlistEval.segments
|
|
504
|
+
};
|
|
505
|
+
}
|
|
506
|
+
const analysis = analyzeArgvCommand({
|
|
507
|
+
argv: params.argv,
|
|
508
|
+
cwd: params.cwd,
|
|
509
|
+
env: params.env
|
|
510
|
+
});
|
|
511
|
+
const allowlistEval = evaluateExecAllowlist({
|
|
512
|
+
analysis,
|
|
513
|
+
allowlist: params.approvals.allowlist,
|
|
514
|
+
safeBins: params.safeBins,
|
|
515
|
+
safeBinProfiles: params.safeBinProfiles,
|
|
516
|
+
cwd: params.cwd,
|
|
517
|
+
trustedSafeBinDirs: params.trustedSafeBinDirs,
|
|
518
|
+
skillBins: params.skillBins,
|
|
519
|
+
autoAllowSkills: params.autoAllowSkills
|
|
520
|
+
});
|
|
521
|
+
return {
|
|
522
|
+
analysisOk: analysis.ok,
|
|
523
|
+
allowlistMatches: allowlistEval.allowlistMatches,
|
|
524
|
+
allowlistSatisfied: params.security === "allowlist" && analysis.ok ? allowlistEval.allowlistSatisfied : false,
|
|
525
|
+
segments: analysis.segments
|
|
526
|
+
};
|
|
527
|
+
}
|
|
528
|
+
function resolvePlannedAllowlistArgv(params) {
|
|
529
|
+
if (params.security !== "allowlist" || params.policy.approvedByAsk || params.shellCommand || !params.policy.analysisOk || !params.policy.allowlistSatisfied || params.segments.length !== 1) return;
|
|
530
|
+
const plannedAllowlistArgv = resolvePlannedSegmentArgv(params.segments[0]);
|
|
531
|
+
return plannedAllowlistArgv && plannedAllowlistArgv.length > 0 ? plannedAllowlistArgv : null;
|
|
532
|
+
}
|
|
533
|
+
function resolveSystemRunExecArgv(params) {
|
|
534
|
+
let execArgv = params.plannedAllowlistArgv ?? params.argv;
|
|
535
|
+
if (params.security === "allowlist" && params.isWindows && !params.policy.approvedByAsk && params.shellCommand && params.policy.analysisOk && params.policy.allowlistSatisfied && params.segments.length === 1 && params.segments[0]?.argv.length > 0) execArgv = params.segments[0].argv;
|
|
536
|
+
return execArgv;
|
|
537
|
+
}
|
|
538
|
+
function applyOutputTruncation(result) {
|
|
539
|
+
if (!result.truncated) return;
|
|
540
|
+
const suffix = "... (truncated)";
|
|
541
|
+
if (result.stderr.trim().length > 0) result.stderr = `${result.stderr}\n${suffix}`;
|
|
542
|
+
else result.stdout = `${result.stdout}\n${suffix}`;
|
|
543
|
+
}
|
|
544
|
+
//#endregion
|
|
545
|
+
//#region src/node-host/invoke-system-run-plan.ts
|
|
546
|
+
const MUTABLE_ARGV1_INTERPRETER_PATTERNS = [
|
|
547
|
+
/^(?:node|nodejs)$/,
|
|
548
|
+
/^perl$/,
|
|
549
|
+
/^php$/,
|
|
550
|
+
/^python(?:\d+(?:\.\d+)*)?$/,
|
|
551
|
+
/^ruby$/
|
|
552
|
+
];
|
|
553
|
+
const GENERIC_MUTABLE_SCRIPT_RUNNERS = new Set([
|
|
554
|
+
"esno",
|
|
555
|
+
"jiti",
|
|
556
|
+
"ts-node",
|
|
557
|
+
"ts-node-esm",
|
|
558
|
+
"tsx",
|
|
559
|
+
"vite-node"
|
|
560
|
+
]);
|
|
561
|
+
const BUN_SUBCOMMANDS = new Set([
|
|
562
|
+
"add",
|
|
563
|
+
"audit",
|
|
564
|
+
"completions",
|
|
565
|
+
"create",
|
|
566
|
+
"exec",
|
|
567
|
+
"help",
|
|
568
|
+
"init",
|
|
569
|
+
"install",
|
|
570
|
+
"link",
|
|
571
|
+
"outdated",
|
|
572
|
+
"patch",
|
|
573
|
+
"pm",
|
|
574
|
+
"publish",
|
|
575
|
+
"remove",
|
|
576
|
+
"repl",
|
|
577
|
+
"run",
|
|
578
|
+
"test",
|
|
579
|
+
"unlink",
|
|
580
|
+
"update",
|
|
581
|
+
"upgrade",
|
|
582
|
+
"x"
|
|
583
|
+
]);
|
|
584
|
+
const BUN_OPTIONS_WITH_VALUE = new Set([
|
|
585
|
+
"--backend",
|
|
586
|
+
"--bunfig",
|
|
587
|
+
"--conditions",
|
|
588
|
+
"--config",
|
|
589
|
+
"--console-depth",
|
|
590
|
+
"--cwd",
|
|
591
|
+
"--define",
|
|
592
|
+
"--elide-lines",
|
|
593
|
+
"--env-file",
|
|
594
|
+
"--extension-order",
|
|
595
|
+
"--filter",
|
|
596
|
+
"--hot",
|
|
597
|
+
"--inspect",
|
|
598
|
+
"--inspect-brk",
|
|
599
|
+
"--inspect-wait",
|
|
600
|
+
"--install",
|
|
601
|
+
"--jsx-factory",
|
|
602
|
+
"--jsx-fragment",
|
|
603
|
+
"--jsx-import-source",
|
|
604
|
+
"--loader",
|
|
605
|
+
"--origin",
|
|
606
|
+
"--port",
|
|
607
|
+
"--preload",
|
|
608
|
+
"--smol",
|
|
609
|
+
"--tsconfig-override",
|
|
610
|
+
"-c",
|
|
611
|
+
"-e",
|
|
612
|
+
"-p",
|
|
613
|
+
"-r"
|
|
614
|
+
]);
|
|
615
|
+
const DENO_RUN_OPTIONS_WITH_VALUE = new Set([
|
|
616
|
+
"--cached-only",
|
|
617
|
+
"--cert",
|
|
618
|
+
"--config",
|
|
619
|
+
"--env-file",
|
|
620
|
+
"--ext",
|
|
621
|
+
"--harmony-import-attributes",
|
|
622
|
+
"--import-map",
|
|
623
|
+
"--inspect",
|
|
624
|
+
"--inspect-brk",
|
|
625
|
+
"--inspect-wait",
|
|
626
|
+
"--location",
|
|
627
|
+
"--log-level",
|
|
628
|
+
"--lock",
|
|
629
|
+
"--node-modules-dir",
|
|
630
|
+
"--no-check",
|
|
631
|
+
"--preload",
|
|
632
|
+
"--reload",
|
|
633
|
+
"--seed",
|
|
634
|
+
"--strace-ops",
|
|
635
|
+
"--unstable-bare-node-builtins",
|
|
636
|
+
"--v8-flags",
|
|
637
|
+
"--watch",
|
|
638
|
+
"--watch-exclude",
|
|
639
|
+
"-L"
|
|
640
|
+
]);
|
|
641
|
+
const NODE_OPTIONS_WITH_FILE_VALUE = new Set([
|
|
642
|
+
"-r",
|
|
643
|
+
"--experimental-loader",
|
|
644
|
+
"--import",
|
|
645
|
+
"--loader",
|
|
646
|
+
"--require"
|
|
647
|
+
]);
|
|
648
|
+
const RUBY_UNSAFE_APPROVAL_FLAGS = new Set([
|
|
649
|
+
"-I",
|
|
650
|
+
"-r",
|
|
651
|
+
"--require"
|
|
652
|
+
]);
|
|
653
|
+
const PERL_UNSAFE_APPROVAL_FLAGS = new Set([
|
|
654
|
+
"-I",
|
|
655
|
+
"-M",
|
|
656
|
+
"-m"
|
|
657
|
+
]);
|
|
658
|
+
const POSIX_SHELL_OPTIONS_WITH_VALUE = new Set([
|
|
659
|
+
"--init-file",
|
|
660
|
+
"--rcfile",
|
|
661
|
+
"--startup-script",
|
|
662
|
+
"-o"
|
|
663
|
+
]);
|
|
664
|
+
const NPM_EXEC_OPTIONS_WITH_VALUE = new Set([
|
|
665
|
+
"--cache",
|
|
666
|
+
"--package",
|
|
667
|
+
"--prefix",
|
|
668
|
+
"--script-shell",
|
|
669
|
+
"--userconfig",
|
|
670
|
+
"--workspace",
|
|
671
|
+
"-p",
|
|
672
|
+
"-w"
|
|
673
|
+
]);
|
|
674
|
+
const NPM_EXEC_FLAG_OPTIONS = new Set([
|
|
675
|
+
"--no",
|
|
676
|
+
"--quiet",
|
|
677
|
+
"--ws",
|
|
678
|
+
"--workspaces",
|
|
679
|
+
"--yes",
|
|
680
|
+
"-q",
|
|
681
|
+
"-y"
|
|
682
|
+
]);
|
|
683
|
+
const PNPM_OPTIONS_WITH_VALUE = new Set([
|
|
684
|
+
"--config",
|
|
685
|
+
"--dir",
|
|
686
|
+
"--filter",
|
|
687
|
+
"--reporter",
|
|
688
|
+
"--stream",
|
|
689
|
+
"--test-pattern",
|
|
690
|
+
"--workspace-concurrency",
|
|
691
|
+
"-C"
|
|
692
|
+
]);
|
|
693
|
+
const PNPM_FLAG_OPTIONS = new Set([
|
|
694
|
+
"--aggregate-output",
|
|
695
|
+
"--color",
|
|
696
|
+
"--recursive",
|
|
697
|
+
"--silent",
|
|
698
|
+
"--workspace-root",
|
|
699
|
+
"-r"
|
|
700
|
+
]);
|
|
701
|
+
function normalizeString(value) {
|
|
702
|
+
if (typeof value !== "string") return null;
|
|
703
|
+
const trimmed = value.trim();
|
|
704
|
+
return trimmed ? trimmed : null;
|
|
705
|
+
}
|
|
706
|
+
function pathComponentsFromRootSync(targetPath) {
|
|
707
|
+
const absolute = path.resolve(targetPath);
|
|
708
|
+
const parts = [];
|
|
709
|
+
let cursor = absolute;
|
|
710
|
+
while (true) {
|
|
711
|
+
parts.unshift(cursor);
|
|
712
|
+
const parent = path.dirname(cursor);
|
|
713
|
+
if (parent === cursor) return parts;
|
|
714
|
+
cursor = parent;
|
|
715
|
+
}
|
|
716
|
+
}
|
|
717
|
+
function isWritableByCurrentProcessSync(candidate) {
|
|
718
|
+
try {
|
|
719
|
+
fs.accessSync(candidate, fs.constants.W_OK);
|
|
720
|
+
return true;
|
|
721
|
+
} catch {
|
|
722
|
+
return false;
|
|
723
|
+
}
|
|
724
|
+
}
|
|
725
|
+
function hasMutableSymlinkPathComponentSync(targetPath) {
|
|
726
|
+
for (const component of pathComponentsFromRootSync(targetPath)) try {
|
|
727
|
+
if (!fs.lstatSync(component).isSymbolicLink()) continue;
|
|
728
|
+
if (isWritableByCurrentProcessSync(path.dirname(component))) return true;
|
|
729
|
+
} catch {
|
|
730
|
+
return true;
|
|
731
|
+
}
|
|
732
|
+
return false;
|
|
733
|
+
}
|
|
734
|
+
function shouldPinExecutableForApproval(params) {
|
|
735
|
+
if (params.shellCommand !== null) return false;
|
|
736
|
+
return (params.wrapperChain?.length ?? 0) === 0;
|
|
737
|
+
}
|
|
738
|
+
function hashFileContentsSync(filePath) {
|
|
739
|
+
return crypto.createHash("sha256").update(fs.readFileSync(filePath)).digest("hex");
|
|
740
|
+
}
|
|
741
|
+
function looksLikePathToken(token) {
|
|
742
|
+
return token.startsWith(".") || token.startsWith("/") || token.startsWith("\\") || token.includes("/") || token.includes("\\") || path.extname(token).length > 0;
|
|
743
|
+
}
|
|
744
|
+
function resolvesToExistingFileSync(rawOperand, cwd) {
|
|
745
|
+
if (!rawOperand) return false;
|
|
746
|
+
try {
|
|
747
|
+
return fs.statSync(path.resolve(cwd ?? process.cwd(), rawOperand)).isFile();
|
|
748
|
+
} catch {
|
|
749
|
+
return false;
|
|
750
|
+
}
|
|
751
|
+
}
|
|
752
|
+
function unwrapArgvForMutableOperand(argv) {
|
|
753
|
+
let current = argv;
|
|
754
|
+
let baseIndex = 0;
|
|
755
|
+
while (true) {
|
|
756
|
+
const dispatchUnwrap = unwrapKnownDispatchWrapperInvocation(current);
|
|
757
|
+
if (dispatchUnwrap.kind === "unwrapped") {
|
|
758
|
+
baseIndex += current.length - dispatchUnwrap.argv.length;
|
|
759
|
+
current = dispatchUnwrap.argv;
|
|
760
|
+
continue;
|
|
761
|
+
}
|
|
762
|
+
const shellMultiplexerUnwrap = unwrapKnownShellMultiplexerInvocation(current);
|
|
763
|
+
if (shellMultiplexerUnwrap.kind === "unwrapped") {
|
|
764
|
+
baseIndex += current.length - shellMultiplexerUnwrap.argv.length;
|
|
765
|
+
current = shellMultiplexerUnwrap.argv;
|
|
766
|
+
continue;
|
|
767
|
+
}
|
|
768
|
+
const packageManagerUnwrap = unwrapKnownPackageManagerExecInvocation(current);
|
|
769
|
+
if (packageManagerUnwrap) {
|
|
770
|
+
baseIndex += current.length - packageManagerUnwrap.length;
|
|
771
|
+
current = packageManagerUnwrap;
|
|
772
|
+
continue;
|
|
773
|
+
}
|
|
774
|
+
return {
|
|
775
|
+
argv: current,
|
|
776
|
+
baseIndex
|
|
777
|
+
};
|
|
778
|
+
}
|
|
779
|
+
}
|
|
780
|
+
function unwrapKnownPackageManagerExecInvocation(argv) {
|
|
781
|
+
switch (normalizePackageManagerExecToken(argv[0] ?? "")) {
|
|
782
|
+
case "npm": return unwrapNpmExecInvocation(argv);
|
|
783
|
+
case "npx":
|
|
784
|
+
case "bunx": return unwrapDirectPackageExecInvocation(argv);
|
|
785
|
+
case "pnpm": return unwrapPnpmExecInvocation(argv);
|
|
786
|
+
default: return null;
|
|
787
|
+
}
|
|
788
|
+
}
|
|
789
|
+
function normalizePackageManagerExecToken(token) {
|
|
790
|
+
const normalized = normalizeExecutableToken(token);
|
|
791
|
+
if (!normalized) return normalized;
|
|
792
|
+
return normalized.replace(/\.(?:c|m)?js$/i, "");
|
|
793
|
+
}
|
|
794
|
+
function unwrapPnpmExecInvocation(argv) {
|
|
795
|
+
let idx = 1;
|
|
796
|
+
while (idx < argv.length) {
|
|
797
|
+
const token = argv[idx]?.trim() ?? "";
|
|
798
|
+
if (!token) {
|
|
799
|
+
idx += 1;
|
|
800
|
+
continue;
|
|
801
|
+
}
|
|
802
|
+
if (token === "--") {
|
|
803
|
+
idx += 1;
|
|
804
|
+
continue;
|
|
805
|
+
}
|
|
806
|
+
if (!token.startsWith("-")) {
|
|
807
|
+
if (token === "exec") {
|
|
808
|
+
if (idx + 1 >= argv.length) return null;
|
|
809
|
+
const tail = argv.slice(idx + 1);
|
|
810
|
+
return tail[0] === "--" ? tail.length > 1 ? tail.slice(1) : null : tail;
|
|
811
|
+
}
|
|
812
|
+
if (token === "node") {
|
|
813
|
+
const tail = argv.slice(idx + 1);
|
|
814
|
+
return ["node", ...tail[0] === "--" ? tail.slice(1) : tail];
|
|
815
|
+
}
|
|
816
|
+
return null;
|
|
817
|
+
}
|
|
818
|
+
const [flag] = token.toLowerCase().split("=", 2);
|
|
819
|
+
if (PNPM_OPTIONS_WITH_VALUE.has(flag)) {
|
|
820
|
+
idx += token.includes("=") ? 1 : 2;
|
|
821
|
+
continue;
|
|
822
|
+
}
|
|
823
|
+
if (PNPM_FLAG_OPTIONS.has(flag)) {
|
|
824
|
+
idx += 1;
|
|
825
|
+
continue;
|
|
826
|
+
}
|
|
827
|
+
return null;
|
|
828
|
+
}
|
|
829
|
+
return null;
|
|
830
|
+
}
|
|
831
|
+
function unwrapDirectPackageExecInvocation(argv) {
|
|
832
|
+
let idx = 1;
|
|
833
|
+
while (idx < argv.length) {
|
|
834
|
+
const token = argv[idx]?.trim() ?? "";
|
|
835
|
+
if (!token) {
|
|
836
|
+
idx += 1;
|
|
837
|
+
continue;
|
|
838
|
+
}
|
|
839
|
+
if (!token.startsWith("-")) return argv.slice(idx);
|
|
840
|
+
const [flag] = token.toLowerCase().split("=", 2);
|
|
841
|
+
if (flag === "-c" || flag === "--call") return null;
|
|
842
|
+
if (NPM_EXEC_OPTIONS_WITH_VALUE.has(flag)) {
|
|
843
|
+
idx += token.includes("=") ? 1 : 2;
|
|
844
|
+
continue;
|
|
845
|
+
}
|
|
846
|
+
if (NPM_EXEC_FLAG_OPTIONS.has(flag)) {
|
|
847
|
+
idx += 1;
|
|
848
|
+
continue;
|
|
849
|
+
}
|
|
850
|
+
return null;
|
|
851
|
+
}
|
|
852
|
+
return null;
|
|
853
|
+
}
|
|
854
|
+
function unwrapNpmExecInvocation(argv) {
|
|
855
|
+
let idx = 1;
|
|
856
|
+
while (idx < argv.length) {
|
|
857
|
+
const token = argv[idx]?.trim() ?? "";
|
|
858
|
+
if (!token) {
|
|
859
|
+
idx += 1;
|
|
860
|
+
continue;
|
|
861
|
+
}
|
|
862
|
+
if (!token.startsWith("-")) {
|
|
863
|
+
if (token !== "exec") return null;
|
|
864
|
+
idx += 1;
|
|
865
|
+
break;
|
|
866
|
+
}
|
|
867
|
+
if ((token === "-C" || token === "--prefix" || token === "--userconfig") && !token.includes("=")) {
|
|
868
|
+
idx += 2;
|
|
869
|
+
continue;
|
|
870
|
+
}
|
|
871
|
+
idx += 1;
|
|
872
|
+
}
|
|
873
|
+
if (idx >= argv.length) return null;
|
|
874
|
+
const tail = argv.slice(idx);
|
|
875
|
+
if (tail[0] === "--") return tail.length > 1 ? tail.slice(1) : null;
|
|
876
|
+
return unwrapDirectPackageExecInvocation(["npx", ...tail]);
|
|
877
|
+
}
|
|
878
|
+
function resolvePosixShellScriptOperandIndex(argv) {
|
|
879
|
+
if (resolveInlineCommandMatch(argv, POSIX_INLINE_COMMAND_FLAGS, { allowCombinedC: true }).valueTokenIndex !== null) return null;
|
|
880
|
+
let afterDoubleDash = false;
|
|
881
|
+
for (let i = 1; i < argv.length; i += 1) {
|
|
882
|
+
const token = argv[i]?.trim() ?? "";
|
|
883
|
+
if (!token) continue;
|
|
884
|
+
if (token === "-") return null;
|
|
885
|
+
if (!afterDoubleDash && token === "--") {
|
|
886
|
+
afterDoubleDash = true;
|
|
887
|
+
continue;
|
|
888
|
+
}
|
|
889
|
+
if (!afterDoubleDash && token === "-s") return null;
|
|
890
|
+
if (!afterDoubleDash && token.startsWith("-")) {
|
|
891
|
+
const [flag] = token.toLowerCase().split("=", 2);
|
|
892
|
+
if (POSIX_SHELL_OPTIONS_WITH_VALUE.has(flag)) {
|
|
893
|
+
if (!token.includes("=")) i += 1;
|
|
894
|
+
continue;
|
|
895
|
+
}
|
|
896
|
+
continue;
|
|
897
|
+
}
|
|
898
|
+
return i;
|
|
899
|
+
}
|
|
900
|
+
return null;
|
|
901
|
+
}
|
|
902
|
+
function resolveOptionFilteredFileOperandIndex(params) {
|
|
903
|
+
let afterDoubleDash = false;
|
|
904
|
+
for (let i = params.startIndex; i < params.argv.length; i += 1) {
|
|
905
|
+
const token = params.argv[i]?.trim() ?? "";
|
|
906
|
+
if (!token) continue;
|
|
907
|
+
if (afterDoubleDash) return resolvesToExistingFileSync(token, params.cwd) ? i : null;
|
|
908
|
+
if (token === "--") {
|
|
909
|
+
afterDoubleDash = true;
|
|
910
|
+
continue;
|
|
911
|
+
}
|
|
912
|
+
if (token === "-") return null;
|
|
913
|
+
if (token.startsWith("-")) {
|
|
914
|
+
if (!token.includes("=") && params.optionsWithValue?.has(token)) i += 1;
|
|
915
|
+
continue;
|
|
916
|
+
}
|
|
917
|
+
return resolvesToExistingFileSync(token, params.cwd) ? i : null;
|
|
918
|
+
}
|
|
919
|
+
return null;
|
|
920
|
+
}
|
|
921
|
+
function resolveOptionFilteredPositionalIndex(params) {
|
|
922
|
+
let afterDoubleDash = false;
|
|
923
|
+
for (let i = params.startIndex; i < params.argv.length; i += 1) {
|
|
924
|
+
const token = params.argv[i]?.trim() ?? "";
|
|
925
|
+
if (!token) continue;
|
|
926
|
+
if (afterDoubleDash) return i;
|
|
927
|
+
if (token === "--") {
|
|
928
|
+
afterDoubleDash = true;
|
|
929
|
+
continue;
|
|
930
|
+
}
|
|
931
|
+
if (token === "-") return null;
|
|
932
|
+
if (token.startsWith("-")) {
|
|
933
|
+
if (!token.includes("=") && params.optionsWithValue?.has(token)) i += 1;
|
|
934
|
+
continue;
|
|
935
|
+
}
|
|
936
|
+
return i;
|
|
937
|
+
}
|
|
938
|
+
return null;
|
|
939
|
+
}
|
|
940
|
+
function collectExistingFileOperandIndexes(params) {
|
|
941
|
+
let afterDoubleDash = false;
|
|
942
|
+
const hits = [];
|
|
943
|
+
for (let i = params.startIndex; i < params.argv.length; i += 1) {
|
|
944
|
+
const token = params.argv[i]?.trim() ?? "";
|
|
945
|
+
if (!token) continue;
|
|
946
|
+
if (afterDoubleDash) {
|
|
947
|
+
if (resolvesToExistingFileSync(token, params.cwd)) hits.push(i);
|
|
948
|
+
continue;
|
|
949
|
+
}
|
|
950
|
+
if (token === "--") {
|
|
951
|
+
afterDoubleDash = true;
|
|
952
|
+
continue;
|
|
953
|
+
}
|
|
954
|
+
if (token === "-") return {
|
|
955
|
+
hits: [],
|
|
956
|
+
sawOptionValueFile: false
|
|
957
|
+
};
|
|
958
|
+
if (token.startsWith("-")) {
|
|
959
|
+
const [flag, inlineValue] = token.split("=", 2);
|
|
960
|
+
if (params.optionsWithFileValue?.has(flag.toLowerCase())) {
|
|
961
|
+
if (inlineValue && resolvesToExistingFileSync(inlineValue, params.cwd)) {
|
|
962
|
+
hits.push(i);
|
|
963
|
+
return {
|
|
964
|
+
hits,
|
|
965
|
+
sawOptionValueFile: true
|
|
966
|
+
};
|
|
967
|
+
}
|
|
968
|
+
const nextToken = params.argv[i + 1]?.trim() ?? "";
|
|
969
|
+
if (!inlineValue && nextToken && resolvesToExistingFileSync(nextToken, params.cwd)) {
|
|
970
|
+
hits.push(i + 1);
|
|
971
|
+
return {
|
|
972
|
+
hits,
|
|
973
|
+
sawOptionValueFile: true
|
|
974
|
+
};
|
|
975
|
+
}
|
|
976
|
+
}
|
|
977
|
+
continue;
|
|
978
|
+
}
|
|
979
|
+
if (resolvesToExistingFileSync(token, params.cwd)) hits.push(i);
|
|
980
|
+
}
|
|
981
|
+
return {
|
|
982
|
+
hits,
|
|
983
|
+
sawOptionValueFile: false
|
|
984
|
+
};
|
|
985
|
+
}
|
|
986
|
+
function resolveGenericInterpreterScriptOperandIndex(params) {
|
|
987
|
+
const collection = collectExistingFileOperandIndexes({
|
|
988
|
+
argv: params.argv,
|
|
989
|
+
startIndex: 1,
|
|
990
|
+
cwd: params.cwd,
|
|
991
|
+
optionsWithFileValue: params.optionsWithFileValue
|
|
992
|
+
});
|
|
993
|
+
if (collection.sawOptionValueFile) return null;
|
|
994
|
+
return collection.hits.length === 1 ? collection.hits[0] : null;
|
|
995
|
+
}
|
|
996
|
+
function resolveBunScriptOperandIndex(params) {
|
|
997
|
+
const directIndex = resolveOptionFilteredPositionalIndex({
|
|
998
|
+
argv: params.argv,
|
|
999
|
+
startIndex: 1,
|
|
1000
|
+
optionsWithValue: BUN_OPTIONS_WITH_VALUE
|
|
1001
|
+
});
|
|
1002
|
+
if (directIndex === null) return null;
|
|
1003
|
+
const directToken = params.argv[directIndex]?.trim() ?? "";
|
|
1004
|
+
if (directToken === "run") return resolveOptionFilteredFileOperandIndex({
|
|
1005
|
+
argv: params.argv,
|
|
1006
|
+
startIndex: directIndex + 1,
|
|
1007
|
+
cwd: params.cwd,
|
|
1008
|
+
optionsWithValue: BUN_OPTIONS_WITH_VALUE
|
|
1009
|
+
});
|
|
1010
|
+
if (BUN_SUBCOMMANDS.has(directToken)) return null;
|
|
1011
|
+
if (!looksLikePathToken(directToken)) return null;
|
|
1012
|
+
return directIndex;
|
|
1013
|
+
}
|
|
1014
|
+
function resolveDenoRunScriptOperandIndex(params) {
|
|
1015
|
+
if ((params.argv[1]?.trim() ?? "") !== "run") return null;
|
|
1016
|
+
return resolveOptionFilteredFileOperandIndex({
|
|
1017
|
+
argv: params.argv,
|
|
1018
|
+
startIndex: 2,
|
|
1019
|
+
cwd: params.cwd,
|
|
1020
|
+
optionsWithValue: DENO_RUN_OPTIONS_WITH_VALUE
|
|
1021
|
+
});
|
|
1022
|
+
}
|
|
1023
|
+
function hasRubyUnsafeApprovalFlag(argv) {
|
|
1024
|
+
let afterDoubleDash = false;
|
|
1025
|
+
for (let i = 1; i < argv.length; i += 1) {
|
|
1026
|
+
const token = argv[i]?.trim() ?? "";
|
|
1027
|
+
if (!token) continue;
|
|
1028
|
+
if (afterDoubleDash) return false;
|
|
1029
|
+
if (token === "--") {
|
|
1030
|
+
afterDoubleDash = true;
|
|
1031
|
+
continue;
|
|
1032
|
+
}
|
|
1033
|
+
if (token === "-I" || token === "-r") return true;
|
|
1034
|
+
if (token.startsWith("-I") || token.startsWith("-r")) return true;
|
|
1035
|
+
if (RUBY_UNSAFE_APPROVAL_FLAGS.has(token.toLowerCase())) return true;
|
|
1036
|
+
}
|
|
1037
|
+
return false;
|
|
1038
|
+
}
|
|
1039
|
+
function hasPerlUnsafeApprovalFlag(argv) {
|
|
1040
|
+
let afterDoubleDash = false;
|
|
1041
|
+
for (let i = 1; i < argv.length; i += 1) {
|
|
1042
|
+
const token = argv[i]?.trim() ?? "";
|
|
1043
|
+
if (!token) continue;
|
|
1044
|
+
if (afterDoubleDash) return false;
|
|
1045
|
+
if (token === "--") {
|
|
1046
|
+
afterDoubleDash = true;
|
|
1047
|
+
continue;
|
|
1048
|
+
}
|
|
1049
|
+
if (token === "-I" || token === "-M" || token === "-m") return true;
|
|
1050
|
+
if (token.startsWith("-I") || token.startsWith("-M") || token.startsWith("-m")) return true;
|
|
1051
|
+
if (PERL_UNSAFE_APPROVAL_FLAGS.has(token)) return true;
|
|
1052
|
+
}
|
|
1053
|
+
return false;
|
|
1054
|
+
}
|
|
1055
|
+
function isMutableScriptRunner(executable) {
|
|
1056
|
+
return GENERIC_MUTABLE_SCRIPT_RUNNERS.has(executable) || isInterpreterLikeSafeBin(executable);
|
|
1057
|
+
}
|
|
1058
|
+
function resolveMutableFileOperandIndex(argv, cwd) {
|
|
1059
|
+
const unwrapped = unwrapArgvForMutableOperand(argv);
|
|
1060
|
+
const executable = normalizeExecutableToken(unwrapped.argv[0] ?? "");
|
|
1061
|
+
if (!executable) return null;
|
|
1062
|
+
if (POSIX_SHELL_WRAPPERS.has(executable)) {
|
|
1063
|
+
const shellIndex = resolvePosixShellScriptOperandIndex(unwrapped.argv);
|
|
1064
|
+
return shellIndex === null ? null : unwrapped.baseIndex + shellIndex;
|
|
1065
|
+
}
|
|
1066
|
+
if (MUTABLE_ARGV1_INTERPRETER_PATTERNS.some((pattern) => pattern.test(executable))) {
|
|
1067
|
+
const operand = unwrapped.argv[1]?.trim() ?? "";
|
|
1068
|
+
if (operand && operand !== "-" && !operand.startsWith("-")) return unwrapped.baseIndex + 1;
|
|
1069
|
+
}
|
|
1070
|
+
if (executable === "bun") {
|
|
1071
|
+
const bunIndex = resolveBunScriptOperandIndex({
|
|
1072
|
+
argv: unwrapped.argv,
|
|
1073
|
+
cwd
|
|
1074
|
+
});
|
|
1075
|
+
if (bunIndex !== null) return unwrapped.baseIndex + bunIndex;
|
|
1076
|
+
}
|
|
1077
|
+
if (executable === "deno") {
|
|
1078
|
+
const denoIndex = resolveDenoRunScriptOperandIndex({
|
|
1079
|
+
argv: unwrapped.argv,
|
|
1080
|
+
cwd
|
|
1081
|
+
});
|
|
1082
|
+
if (denoIndex !== null) return unwrapped.baseIndex + denoIndex;
|
|
1083
|
+
}
|
|
1084
|
+
if (executable === "ruby" && hasRubyUnsafeApprovalFlag(unwrapped.argv)) return null;
|
|
1085
|
+
if (executable === "perl" && hasPerlUnsafeApprovalFlag(unwrapped.argv)) return null;
|
|
1086
|
+
if (!isMutableScriptRunner(executable)) return null;
|
|
1087
|
+
const genericIndex = resolveGenericInterpreterScriptOperandIndex({
|
|
1088
|
+
argv: unwrapped.argv,
|
|
1089
|
+
cwd,
|
|
1090
|
+
optionsWithFileValue: executable === "node" || executable === "nodejs" ? NODE_OPTIONS_WITH_FILE_VALUE : void 0
|
|
1091
|
+
});
|
|
1092
|
+
return genericIndex === null ? null : unwrapped.baseIndex + genericIndex;
|
|
1093
|
+
}
|
|
1094
|
+
function shellPayloadNeedsStableBinding(shellCommand, cwd) {
|
|
1095
|
+
const argv = splitShellArgs(shellCommand);
|
|
1096
|
+
if (!argv || argv.length === 0) return false;
|
|
1097
|
+
const snapshot = resolveMutableFileOperandSnapshotSync({
|
|
1098
|
+
argv,
|
|
1099
|
+
cwd,
|
|
1100
|
+
shellCommand: null
|
|
1101
|
+
});
|
|
1102
|
+
if (!snapshot.ok) return true;
|
|
1103
|
+
if (snapshot.snapshot) return true;
|
|
1104
|
+
return resolvesToExistingFileSync(argv[0]?.trim() ?? "", cwd);
|
|
1105
|
+
}
|
|
1106
|
+
function requiresStableInterpreterApprovalBindingWithShellCommand(params) {
|
|
1107
|
+
if (params.shellCommand !== null) return shellPayloadNeedsStableBinding(params.shellCommand, params.cwd);
|
|
1108
|
+
const executable = normalizeExecutableToken(unwrapArgvForMutableOperand(params.argv).argv[0] ?? "");
|
|
1109
|
+
if (!executable) return false;
|
|
1110
|
+
if (POSIX_SHELL_WRAPPERS.has(executable)) return false;
|
|
1111
|
+
return isMutableScriptRunner(executable);
|
|
1112
|
+
}
|
|
1113
|
+
function resolveMutableFileOperandSnapshotSync(params) {
|
|
1114
|
+
const argvIndex = resolveMutableFileOperandIndex(params.argv, params.cwd);
|
|
1115
|
+
if (argvIndex === null) {
|
|
1116
|
+
if (requiresStableInterpreterApprovalBindingWithShellCommand({
|
|
1117
|
+
argv: params.argv,
|
|
1118
|
+
shellCommand: params.shellCommand,
|
|
1119
|
+
cwd: params.cwd
|
|
1120
|
+
})) return {
|
|
1121
|
+
ok: false,
|
|
1122
|
+
message: "SYSTEM_RUN_DENIED: approval cannot safely bind this interpreter/runtime command"
|
|
1123
|
+
};
|
|
1124
|
+
return {
|
|
1125
|
+
ok: true,
|
|
1126
|
+
snapshot: null
|
|
1127
|
+
};
|
|
1128
|
+
}
|
|
1129
|
+
const rawOperand = params.argv[argvIndex]?.trim();
|
|
1130
|
+
if (!rawOperand) return {
|
|
1131
|
+
ok: false,
|
|
1132
|
+
message: "SYSTEM_RUN_DENIED: approval requires a stable script operand"
|
|
1133
|
+
};
|
|
1134
|
+
const resolvedPath = path.resolve(params.cwd ?? process.cwd(), rawOperand);
|
|
1135
|
+
let realPath;
|
|
1136
|
+
let stat;
|
|
1137
|
+
try {
|
|
1138
|
+
realPath = fs.realpathSync(resolvedPath);
|
|
1139
|
+
stat = fs.statSync(realPath);
|
|
1140
|
+
} catch {
|
|
1141
|
+
return {
|
|
1142
|
+
ok: false,
|
|
1143
|
+
message: "SYSTEM_RUN_DENIED: approval requires an existing script operand"
|
|
1144
|
+
};
|
|
1145
|
+
}
|
|
1146
|
+
if (!stat.isFile()) return {
|
|
1147
|
+
ok: false,
|
|
1148
|
+
message: "SYSTEM_RUN_DENIED: approval requires a file script operand"
|
|
1149
|
+
};
|
|
1150
|
+
return {
|
|
1151
|
+
ok: true,
|
|
1152
|
+
snapshot: {
|
|
1153
|
+
argvIndex,
|
|
1154
|
+
path: realPath,
|
|
1155
|
+
sha256: hashFileContentsSync(realPath)
|
|
1156
|
+
}
|
|
1157
|
+
};
|
|
1158
|
+
}
|
|
1159
|
+
function resolveCanonicalApprovalCwdSync(cwd) {
|
|
1160
|
+
const requestedCwd = path.resolve(cwd);
|
|
1161
|
+
let cwdLstat;
|
|
1162
|
+
let cwdStat;
|
|
1163
|
+
let cwdReal;
|
|
1164
|
+
let cwdRealStat;
|
|
1165
|
+
try {
|
|
1166
|
+
cwdLstat = fs.lstatSync(requestedCwd);
|
|
1167
|
+
cwdStat = fs.statSync(requestedCwd);
|
|
1168
|
+
cwdReal = fs.realpathSync(requestedCwd);
|
|
1169
|
+
cwdRealStat = fs.statSync(cwdReal);
|
|
1170
|
+
} catch {
|
|
1171
|
+
return {
|
|
1172
|
+
ok: false,
|
|
1173
|
+
message: "SYSTEM_RUN_DENIED: approval requires an existing canonical cwd"
|
|
1174
|
+
};
|
|
1175
|
+
}
|
|
1176
|
+
if (!cwdStat.isDirectory()) return {
|
|
1177
|
+
ok: false,
|
|
1178
|
+
message: "SYSTEM_RUN_DENIED: approval requires cwd to be a directory"
|
|
1179
|
+
};
|
|
1180
|
+
if (hasMutableSymlinkPathComponentSync(requestedCwd)) return {
|
|
1181
|
+
ok: false,
|
|
1182
|
+
message: "SYSTEM_RUN_DENIED: approval requires canonical cwd (no symlink path components)"
|
|
1183
|
+
};
|
|
1184
|
+
if (cwdLstat.isSymbolicLink()) return {
|
|
1185
|
+
ok: false,
|
|
1186
|
+
message: "SYSTEM_RUN_DENIED: approval requires canonical cwd (no symlink cwd)"
|
|
1187
|
+
};
|
|
1188
|
+
if (!sameFileIdentity(cwdStat, cwdLstat) || !sameFileIdentity(cwdStat, cwdRealStat) || !sameFileIdentity(cwdLstat, cwdRealStat)) return {
|
|
1189
|
+
ok: false,
|
|
1190
|
+
message: "SYSTEM_RUN_DENIED: approval cwd identity mismatch"
|
|
1191
|
+
};
|
|
1192
|
+
return {
|
|
1193
|
+
ok: true,
|
|
1194
|
+
snapshot: {
|
|
1195
|
+
cwd: cwdReal,
|
|
1196
|
+
stat: cwdStat
|
|
1197
|
+
}
|
|
1198
|
+
};
|
|
1199
|
+
}
|
|
1200
|
+
function revalidateApprovedCwdSnapshot(params) {
|
|
1201
|
+
const current = resolveCanonicalApprovalCwdSync(params.snapshot.cwd);
|
|
1202
|
+
if (!current.ok) return false;
|
|
1203
|
+
return sameFileIdentity(params.snapshot.stat, current.snapshot.stat);
|
|
1204
|
+
}
|
|
1205
|
+
function revalidateApprovedMutableFileOperand(params) {
|
|
1206
|
+
const operand = params.argv[params.snapshot.argvIndex]?.trim();
|
|
1207
|
+
if (!operand) return false;
|
|
1208
|
+
const resolvedPath = path.resolve(params.cwd ?? process.cwd(), operand);
|
|
1209
|
+
let realPath;
|
|
1210
|
+
try {
|
|
1211
|
+
realPath = fs.realpathSync(resolvedPath);
|
|
1212
|
+
} catch {
|
|
1213
|
+
return false;
|
|
1214
|
+
}
|
|
1215
|
+
if (realPath !== params.snapshot.path) return false;
|
|
1216
|
+
try {
|
|
1217
|
+
return hashFileContentsSync(realPath) === params.snapshot.sha256;
|
|
1218
|
+
} catch {
|
|
1219
|
+
return false;
|
|
1220
|
+
}
|
|
1221
|
+
}
|
|
1222
|
+
function hardenApprovedExecutionPaths(params) {
|
|
1223
|
+
if (!params.approvedByAsk) return {
|
|
1224
|
+
ok: true,
|
|
1225
|
+
argv: params.argv,
|
|
1226
|
+
argvChanged: false,
|
|
1227
|
+
cwd: params.cwd,
|
|
1228
|
+
approvedCwdSnapshot: void 0
|
|
1229
|
+
};
|
|
1230
|
+
let hardenedCwd = params.cwd;
|
|
1231
|
+
let approvedCwdSnapshot;
|
|
1232
|
+
if (hardenedCwd) {
|
|
1233
|
+
const canonicalCwd = resolveCanonicalApprovalCwdSync(hardenedCwd);
|
|
1234
|
+
if (!canonicalCwd.ok) return canonicalCwd;
|
|
1235
|
+
hardenedCwd = canonicalCwd.snapshot.cwd;
|
|
1236
|
+
approvedCwdSnapshot = canonicalCwd.snapshot;
|
|
1237
|
+
}
|
|
1238
|
+
if (params.argv.length === 0) return {
|
|
1239
|
+
ok: true,
|
|
1240
|
+
argv: params.argv,
|
|
1241
|
+
argvChanged: false,
|
|
1242
|
+
cwd: hardenedCwd,
|
|
1243
|
+
approvedCwdSnapshot
|
|
1244
|
+
};
|
|
1245
|
+
const resolution = resolveCommandResolutionFromArgv(params.argv, hardenedCwd);
|
|
1246
|
+
if (!shouldPinExecutableForApproval({
|
|
1247
|
+
shellCommand: params.shellCommand,
|
|
1248
|
+
wrapperChain: resolution?.wrapperChain
|
|
1249
|
+
})) return {
|
|
1250
|
+
ok: true,
|
|
1251
|
+
argv: params.argv,
|
|
1252
|
+
argvChanged: false,
|
|
1253
|
+
cwd: hardenedCwd,
|
|
1254
|
+
approvedCwdSnapshot
|
|
1255
|
+
};
|
|
1256
|
+
const pinnedExecutable = resolution?.resolvedRealPath ?? resolution?.resolvedPath;
|
|
1257
|
+
if (!pinnedExecutable) return {
|
|
1258
|
+
ok: false,
|
|
1259
|
+
message: "SYSTEM_RUN_DENIED: approval requires a stable executable path"
|
|
1260
|
+
};
|
|
1261
|
+
if (pinnedExecutable === params.argv[0]) return {
|
|
1262
|
+
ok: true,
|
|
1263
|
+
argv: params.argv,
|
|
1264
|
+
argvChanged: false,
|
|
1265
|
+
cwd: hardenedCwd,
|
|
1266
|
+
approvedCwdSnapshot
|
|
1267
|
+
};
|
|
1268
|
+
const argv = [...params.argv];
|
|
1269
|
+
argv[0] = pinnedExecutable;
|
|
1270
|
+
return {
|
|
1271
|
+
ok: true,
|
|
1272
|
+
argv,
|
|
1273
|
+
argvChanged: true,
|
|
1274
|
+
cwd: hardenedCwd,
|
|
1275
|
+
approvedCwdSnapshot
|
|
1276
|
+
};
|
|
1277
|
+
}
|
|
1278
|
+
function buildSystemRunApprovalPlan(params) {
|
|
1279
|
+
const command = resolveSystemRunCommandRequest({
|
|
1280
|
+
command: params.command,
|
|
1281
|
+
rawCommand: params.rawCommand
|
|
1282
|
+
});
|
|
1283
|
+
if (!command.ok) return {
|
|
1284
|
+
ok: false,
|
|
1285
|
+
message: command.message
|
|
1286
|
+
};
|
|
1287
|
+
if (command.argv.length === 0) return {
|
|
1288
|
+
ok: false,
|
|
1289
|
+
message: "command required"
|
|
1290
|
+
};
|
|
1291
|
+
const hardening = hardenApprovedExecutionPaths({
|
|
1292
|
+
approvedByAsk: true,
|
|
1293
|
+
argv: command.argv,
|
|
1294
|
+
shellCommand: command.shellPayload,
|
|
1295
|
+
cwd: normalizeString(params.cwd) ?? void 0
|
|
1296
|
+
});
|
|
1297
|
+
if (!hardening.ok) return {
|
|
1298
|
+
ok: false,
|
|
1299
|
+
message: hardening.message
|
|
1300
|
+
};
|
|
1301
|
+
const commandText = formatExecCommand(hardening.argv);
|
|
1302
|
+
const commandPreview = command.previewText?.trim() && command.previewText.trim() !== commandText ? command.previewText.trim() : null;
|
|
1303
|
+
const mutableFileOperand = resolveMutableFileOperandSnapshotSync({
|
|
1304
|
+
argv: hardening.argv,
|
|
1305
|
+
cwd: hardening.cwd,
|
|
1306
|
+
shellCommand: command.shellPayload
|
|
1307
|
+
});
|
|
1308
|
+
if (!mutableFileOperand.ok) return {
|
|
1309
|
+
ok: false,
|
|
1310
|
+
message: mutableFileOperand.message
|
|
1311
|
+
};
|
|
1312
|
+
return {
|
|
1313
|
+
ok: true,
|
|
1314
|
+
plan: {
|
|
1315
|
+
argv: hardening.argv,
|
|
1316
|
+
cwd: hardening.cwd ?? null,
|
|
1317
|
+
commandText,
|
|
1318
|
+
commandPreview,
|
|
1319
|
+
agentId: normalizeString(params.agentId),
|
|
1320
|
+
sessionKey: normalizeString(params.sessionKey),
|
|
1321
|
+
mutableFileOperand: mutableFileOperand.snapshot ?? void 0
|
|
1322
|
+
}
|
|
1323
|
+
};
|
|
1324
|
+
}
|
|
1325
|
+
//#endregion
|
|
1326
|
+
//#region src/node-host/invoke-system-run.ts
|
|
1327
|
+
const safeBinTrustedDirWarningCache = /* @__PURE__ */ new Set();
|
|
1328
|
+
const APPROVAL_CWD_DRIFT_DENIED_MESSAGE = "SYSTEM_RUN_DENIED: approval cwd changed before execution";
|
|
1329
|
+
const APPROVAL_SCRIPT_OPERAND_BINDING_DENIED_MESSAGE = "SYSTEM_RUN_DENIED: approval missing script operand binding";
|
|
1330
|
+
const APPROVAL_SCRIPT_OPERAND_DRIFT_DENIED_MESSAGE = "SYSTEM_RUN_DENIED: approval script operand changed before execution";
|
|
1331
|
+
function warnWritableTrustedDirOnce(message) {
|
|
1332
|
+
if (safeBinTrustedDirWarningCache.has(message)) return;
|
|
1333
|
+
safeBinTrustedDirWarningCache.add(message);
|
|
1334
|
+
logWarn(message);
|
|
1335
|
+
}
|
|
1336
|
+
function normalizeDeniedReason(reason) {
|
|
1337
|
+
switch (reason) {
|
|
1338
|
+
case "security=deny":
|
|
1339
|
+
case "approval-required":
|
|
1340
|
+
case "allowlist-miss":
|
|
1341
|
+
case "execution-plan-miss":
|
|
1342
|
+
case "companion-unavailable":
|
|
1343
|
+
case "permission:screenRecording": return reason;
|
|
1344
|
+
default: return "approval-required";
|
|
1345
|
+
}
|
|
1346
|
+
}
|
|
1347
|
+
async function sendSystemRunDenied(opts, execution, params) {
|
|
1348
|
+
await opts.sendNodeEvent(opts.client, "exec.denied", opts.buildExecEventPayload({
|
|
1349
|
+
sessionKey: execution.sessionKey,
|
|
1350
|
+
runId: execution.runId,
|
|
1351
|
+
host: "node",
|
|
1352
|
+
command: execution.commandText,
|
|
1353
|
+
reason: params.reason,
|
|
1354
|
+
suppressNotifyOnExit: execution.suppressNotifyOnExit
|
|
1355
|
+
}));
|
|
1356
|
+
await opts.sendInvokeResult({
|
|
1357
|
+
ok: false,
|
|
1358
|
+
error: {
|
|
1359
|
+
code: "UNAVAILABLE",
|
|
1360
|
+
message: params.message
|
|
1361
|
+
}
|
|
1362
|
+
});
|
|
1363
|
+
}
|
|
1364
|
+
async function sendSystemRunCompleted(opts, execution, result, payloadJSON) {
|
|
1365
|
+
await opts.sendExecFinishedEvent({
|
|
1366
|
+
sessionKey: execution.sessionKey,
|
|
1367
|
+
runId: execution.runId,
|
|
1368
|
+
commandText: execution.commandText,
|
|
1369
|
+
result,
|
|
1370
|
+
suppressNotifyOnExit: execution.suppressNotifyOnExit
|
|
1371
|
+
});
|
|
1372
|
+
await opts.sendInvokeResult({
|
|
1373
|
+
ok: true,
|
|
1374
|
+
payloadJSON
|
|
1375
|
+
});
|
|
1376
|
+
}
|
|
1377
|
+
async function parseSystemRunPhase(opts) {
|
|
1378
|
+
const command = resolveSystemRunCommandRequest({
|
|
1379
|
+
command: opts.params.command,
|
|
1380
|
+
rawCommand: opts.params.rawCommand
|
|
1381
|
+
});
|
|
1382
|
+
if (!command.ok) {
|
|
1383
|
+
await opts.sendInvokeResult({
|
|
1384
|
+
ok: false,
|
|
1385
|
+
error: {
|
|
1386
|
+
code: "INVALID_REQUEST",
|
|
1387
|
+
message: command.message
|
|
1388
|
+
}
|
|
1389
|
+
});
|
|
1390
|
+
return null;
|
|
1391
|
+
}
|
|
1392
|
+
if (command.argv.length === 0) {
|
|
1393
|
+
await opts.sendInvokeResult({
|
|
1394
|
+
ok: false,
|
|
1395
|
+
error: {
|
|
1396
|
+
code: "INVALID_REQUEST",
|
|
1397
|
+
message: "command required"
|
|
1398
|
+
}
|
|
1399
|
+
});
|
|
1400
|
+
return null;
|
|
1401
|
+
}
|
|
1402
|
+
const shellPayload = command.shellPayload;
|
|
1403
|
+
const commandText = command.commandText;
|
|
1404
|
+
const approvalPlan = opts.params.systemRunPlan === void 0 ? null : normalizeSystemRunApprovalPlan(opts.params.systemRunPlan);
|
|
1405
|
+
if (opts.params.systemRunPlan !== void 0 && !approvalPlan) {
|
|
1406
|
+
await opts.sendInvokeResult({
|
|
1407
|
+
ok: false,
|
|
1408
|
+
error: {
|
|
1409
|
+
code: "INVALID_REQUEST",
|
|
1410
|
+
message: "systemRunPlan invalid"
|
|
1411
|
+
}
|
|
1412
|
+
});
|
|
1413
|
+
return null;
|
|
1414
|
+
}
|
|
1415
|
+
const agentId = opts.params.agentId?.trim() || void 0;
|
|
1416
|
+
const sessionKey = opts.params.sessionKey?.trim() || "node";
|
|
1417
|
+
const runId = opts.params.runId?.trim() || crypto.randomUUID();
|
|
1418
|
+
const suppressNotifyOnExit = opts.params.suppressNotifyOnExit === true;
|
|
1419
|
+
const envOverrides = sanitizeSystemRunEnvOverrides({
|
|
1420
|
+
overrides: opts.params.env ?? void 0,
|
|
1421
|
+
shellWrapper: shellPayload !== null
|
|
1422
|
+
});
|
|
1423
|
+
return {
|
|
1424
|
+
argv: command.argv,
|
|
1425
|
+
shellPayload,
|
|
1426
|
+
commandText,
|
|
1427
|
+
commandPreview: command.previewText,
|
|
1428
|
+
approvalPlan,
|
|
1429
|
+
agentId,
|
|
1430
|
+
sessionKey,
|
|
1431
|
+
runId,
|
|
1432
|
+
execution: {
|
|
1433
|
+
sessionKey,
|
|
1434
|
+
runId,
|
|
1435
|
+
commandText,
|
|
1436
|
+
suppressNotifyOnExit
|
|
1437
|
+
},
|
|
1438
|
+
approvalDecision: resolveExecApprovalDecision(opts.params.approvalDecision),
|
|
1439
|
+
envOverrides,
|
|
1440
|
+
env: opts.sanitizeEnv(envOverrides),
|
|
1441
|
+
cwd: opts.params.cwd?.trim() || void 0,
|
|
1442
|
+
timeoutMs: opts.params.timeoutMs ?? void 0,
|
|
1443
|
+
needsScreenRecording: opts.params.needsScreenRecording === true,
|
|
1444
|
+
approved: opts.params.approved === true,
|
|
1445
|
+
suppressNotifyOnExit
|
|
1446
|
+
};
|
|
1447
|
+
}
|
|
1448
|
+
async function evaluateSystemRunPolicyPhase(opts, parsed) {
|
|
1449
|
+
const cfg = loadConfig();
|
|
1450
|
+
const agentExec = parsed.agentId ? resolveAgentConfig(cfg, parsed.agentId)?.tools?.exec : void 0;
|
|
1451
|
+
const configuredSecurity = opts.resolveExecSecurity(agentExec?.security ?? cfg.tools?.exec?.security);
|
|
1452
|
+
const configuredAsk = opts.resolveExecAsk(agentExec?.ask ?? cfg.tools?.exec?.ask);
|
|
1453
|
+
const approvals = resolveExecApprovals(parsed.agentId, {
|
|
1454
|
+
security: configuredSecurity,
|
|
1455
|
+
ask: configuredAsk
|
|
1456
|
+
});
|
|
1457
|
+
const security = approvals.agent.security;
|
|
1458
|
+
const ask = approvals.agent.ask;
|
|
1459
|
+
const autoAllowSkills = approvals.agent.autoAllowSkills;
|
|
1460
|
+
const { safeBins, safeBinProfiles, trustedSafeBinDirs } = resolveExecSafeBinRuntimePolicy({
|
|
1461
|
+
global: cfg.tools?.exec,
|
|
1462
|
+
local: agentExec,
|
|
1463
|
+
onWarning: warnWritableTrustedDirOnce
|
|
1464
|
+
});
|
|
1465
|
+
const bins = autoAllowSkills ? await opts.skillBins.current() : [];
|
|
1466
|
+
let { analysisOk, allowlistMatches, allowlistSatisfied, segments } = evaluateSystemRunAllowlist({
|
|
1467
|
+
shellCommand: parsed.shellPayload,
|
|
1468
|
+
argv: parsed.argv,
|
|
1469
|
+
approvals,
|
|
1470
|
+
security,
|
|
1471
|
+
safeBins,
|
|
1472
|
+
safeBinProfiles,
|
|
1473
|
+
trustedSafeBinDirs,
|
|
1474
|
+
cwd: parsed.cwd,
|
|
1475
|
+
env: parsed.env,
|
|
1476
|
+
skillBins: bins,
|
|
1477
|
+
autoAllowSkills
|
|
1478
|
+
});
|
|
1479
|
+
const isWindows = process.platform === "win32";
|
|
1480
|
+
const cmdInvocation = parsed.shellPayload ? opts.isCmdExeInvocation(segments[0]?.argv ?? []) : opts.isCmdExeInvocation(parsed.argv);
|
|
1481
|
+
const policy = evaluateSystemRunPolicy({
|
|
1482
|
+
security,
|
|
1483
|
+
ask,
|
|
1484
|
+
analysisOk,
|
|
1485
|
+
allowlistSatisfied,
|
|
1486
|
+
approvalDecision: parsed.approvalDecision,
|
|
1487
|
+
approved: parsed.approved,
|
|
1488
|
+
isWindows,
|
|
1489
|
+
cmdInvocation,
|
|
1490
|
+
shellWrapperInvocation: parsed.shellPayload !== null
|
|
1491
|
+
});
|
|
1492
|
+
analysisOk = policy.analysisOk;
|
|
1493
|
+
allowlistSatisfied = policy.allowlistSatisfied;
|
|
1494
|
+
if (!policy.allowed) {
|
|
1495
|
+
await sendSystemRunDenied(opts, parsed.execution, {
|
|
1496
|
+
reason: policy.eventReason,
|
|
1497
|
+
message: policy.errorMessage
|
|
1498
|
+
});
|
|
1499
|
+
return null;
|
|
1500
|
+
}
|
|
1501
|
+
if (security === "allowlist" && parsed.shellPayload && !policy.approvedByAsk) {
|
|
1502
|
+
await sendSystemRunDenied(opts, parsed.execution, {
|
|
1503
|
+
reason: "approval-required",
|
|
1504
|
+
message: "SYSTEM_RUN_DENIED: approval required"
|
|
1505
|
+
});
|
|
1506
|
+
return null;
|
|
1507
|
+
}
|
|
1508
|
+
const hardenedPaths = hardenApprovedExecutionPaths({
|
|
1509
|
+
approvedByAsk: policy.approvedByAsk,
|
|
1510
|
+
argv: parsed.argv,
|
|
1511
|
+
shellCommand: parsed.shellPayload,
|
|
1512
|
+
cwd: parsed.cwd
|
|
1513
|
+
});
|
|
1514
|
+
if (!hardenedPaths.ok) {
|
|
1515
|
+
await sendSystemRunDenied(opts, parsed.execution, {
|
|
1516
|
+
reason: "approval-required",
|
|
1517
|
+
message: hardenedPaths.message
|
|
1518
|
+
});
|
|
1519
|
+
return null;
|
|
1520
|
+
}
|
|
1521
|
+
const approvedCwdSnapshot = policy.approvedByAsk ? hardenedPaths.approvedCwdSnapshot : void 0;
|
|
1522
|
+
if (policy.approvedByAsk && hardenedPaths.cwd && !approvedCwdSnapshot) {
|
|
1523
|
+
await sendSystemRunDenied(opts, parsed.execution, {
|
|
1524
|
+
reason: "approval-required",
|
|
1525
|
+
message: APPROVAL_CWD_DRIFT_DENIED_MESSAGE
|
|
1526
|
+
});
|
|
1527
|
+
return null;
|
|
1528
|
+
}
|
|
1529
|
+
const plannedAllowlistArgv = resolvePlannedAllowlistArgv({
|
|
1530
|
+
security,
|
|
1531
|
+
shellCommand: parsed.shellPayload,
|
|
1532
|
+
policy,
|
|
1533
|
+
segments
|
|
1534
|
+
});
|
|
1535
|
+
if (plannedAllowlistArgv === null) {
|
|
1536
|
+
await sendSystemRunDenied(opts, parsed.execution, {
|
|
1537
|
+
reason: "execution-plan-miss",
|
|
1538
|
+
message: "SYSTEM_RUN_DENIED: execution plan mismatch"
|
|
1539
|
+
});
|
|
1540
|
+
return null;
|
|
1541
|
+
}
|
|
1542
|
+
return {
|
|
1543
|
+
...parsed,
|
|
1544
|
+
argv: hardenedPaths.argv,
|
|
1545
|
+
cwd: hardenedPaths.cwd,
|
|
1546
|
+
approvals,
|
|
1547
|
+
security,
|
|
1548
|
+
policy,
|
|
1549
|
+
allowlistMatches,
|
|
1550
|
+
analysisOk,
|
|
1551
|
+
allowlistSatisfied,
|
|
1552
|
+
segments,
|
|
1553
|
+
plannedAllowlistArgv: plannedAllowlistArgv ?? void 0,
|
|
1554
|
+
isWindows,
|
|
1555
|
+
approvedCwdSnapshot
|
|
1556
|
+
};
|
|
1557
|
+
}
|
|
1558
|
+
async function executeSystemRunPhase(opts, phase) {
|
|
1559
|
+
if (phase.approvedCwdSnapshot && !revalidateApprovedCwdSnapshot({ snapshot: phase.approvedCwdSnapshot })) {
|
|
1560
|
+
logWarn(`security: system.run approval cwd drift blocked (runId=${phase.runId})`);
|
|
1561
|
+
await sendSystemRunDenied(opts, phase.execution, {
|
|
1562
|
+
reason: "approval-required",
|
|
1563
|
+
message: APPROVAL_CWD_DRIFT_DENIED_MESSAGE
|
|
1564
|
+
});
|
|
1565
|
+
return;
|
|
1566
|
+
}
|
|
1567
|
+
const expectedMutableFileOperand = phase.approvalPlan ? resolveMutableFileOperandSnapshotSync({
|
|
1568
|
+
argv: phase.argv,
|
|
1569
|
+
cwd: phase.cwd,
|
|
1570
|
+
shellCommand: phase.shellPayload
|
|
1571
|
+
}) : null;
|
|
1572
|
+
if (expectedMutableFileOperand && !expectedMutableFileOperand.ok) {
|
|
1573
|
+
logWarn(`security: system.run approval script binding blocked (runId=${phase.runId})`);
|
|
1574
|
+
await sendSystemRunDenied(opts, phase.execution, {
|
|
1575
|
+
reason: "approval-required",
|
|
1576
|
+
message: expectedMutableFileOperand.message
|
|
1577
|
+
});
|
|
1578
|
+
return;
|
|
1579
|
+
}
|
|
1580
|
+
if (expectedMutableFileOperand?.snapshot && !phase.approvalPlan?.mutableFileOperand) {
|
|
1581
|
+
logWarn(`security: system.run approval script binding missing (runId=${phase.runId})`);
|
|
1582
|
+
await sendSystemRunDenied(opts, phase.execution, {
|
|
1583
|
+
reason: "approval-required",
|
|
1584
|
+
message: APPROVAL_SCRIPT_OPERAND_BINDING_DENIED_MESSAGE
|
|
1585
|
+
});
|
|
1586
|
+
return;
|
|
1587
|
+
}
|
|
1588
|
+
if (phase.approvalPlan?.mutableFileOperand && !revalidateApprovedMutableFileOperand({
|
|
1589
|
+
snapshot: phase.approvalPlan.mutableFileOperand,
|
|
1590
|
+
argv: phase.argv,
|
|
1591
|
+
cwd: phase.cwd
|
|
1592
|
+
})) {
|
|
1593
|
+
logWarn(`security: system.run approval script drift blocked (runId=${phase.runId})`);
|
|
1594
|
+
await sendSystemRunDenied(opts, phase.execution, {
|
|
1595
|
+
reason: "approval-required",
|
|
1596
|
+
message: APPROVAL_SCRIPT_OPERAND_DRIFT_DENIED_MESSAGE
|
|
1597
|
+
});
|
|
1598
|
+
return;
|
|
1599
|
+
}
|
|
1600
|
+
if (opts.preferMacAppExecHost) {
|
|
1601
|
+
const execRequest = {
|
|
1602
|
+
command: phase.plannedAllowlistArgv ?? phase.argv,
|
|
1603
|
+
rawCommand: phase.commandText || null,
|
|
1604
|
+
cwd: phase.cwd ?? null,
|
|
1605
|
+
env: phase.envOverrides ?? null,
|
|
1606
|
+
timeoutMs: phase.timeoutMs ?? null,
|
|
1607
|
+
needsScreenRecording: phase.needsScreenRecording,
|
|
1608
|
+
agentId: phase.agentId ?? null,
|
|
1609
|
+
sessionKey: phase.sessionKey ?? null,
|
|
1610
|
+
approvalDecision: phase.approvalDecision
|
|
1611
|
+
};
|
|
1612
|
+
const response = await opts.runViaMacAppExecHost({
|
|
1613
|
+
approvals: phase.approvals,
|
|
1614
|
+
request: execRequest
|
|
1615
|
+
});
|
|
1616
|
+
if (!response) {
|
|
1617
|
+
if (opts.execHostEnforced || !opts.execHostFallbackAllowed) {
|
|
1618
|
+
await sendSystemRunDenied(opts, phase.execution, {
|
|
1619
|
+
reason: "companion-unavailable",
|
|
1620
|
+
message: "COMPANION_APP_UNAVAILABLE: macOS app exec host unreachable"
|
|
1621
|
+
});
|
|
1622
|
+
return;
|
|
1623
|
+
}
|
|
1624
|
+
} else if (!response.ok) {
|
|
1625
|
+
await sendSystemRunDenied(opts, phase.execution, {
|
|
1626
|
+
reason: normalizeDeniedReason(response.error.reason),
|
|
1627
|
+
message: response.error.message
|
|
1628
|
+
});
|
|
1629
|
+
return;
|
|
1630
|
+
} else {
|
|
1631
|
+
const result = response.payload;
|
|
1632
|
+
await sendSystemRunCompleted(opts, phase.execution, result, JSON.stringify(result));
|
|
1633
|
+
return;
|
|
1634
|
+
}
|
|
1635
|
+
}
|
|
1636
|
+
if (phase.policy.approvalDecision === "allow-always" && phase.security === "allowlist") {
|
|
1637
|
+
if (phase.policy.analysisOk) {
|
|
1638
|
+
const patterns = resolveAllowAlwaysPatterns({
|
|
1639
|
+
segments: phase.segments,
|
|
1640
|
+
cwd: phase.cwd,
|
|
1641
|
+
env: phase.env,
|
|
1642
|
+
platform: process.platform
|
|
1643
|
+
});
|
|
1644
|
+
for (const pattern of patterns) if (pattern) addAllowlistEntry(phase.approvals.file, phase.agentId, pattern);
|
|
1645
|
+
}
|
|
1646
|
+
}
|
|
1647
|
+
if (phase.allowlistMatches.length > 0) {
|
|
1648
|
+
const seen = /* @__PURE__ */ new Set();
|
|
1649
|
+
for (const match of phase.allowlistMatches) {
|
|
1650
|
+
if (!match?.pattern || seen.has(match.pattern)) continue;
|
|
1651
|
+
seen.add(match.pattern);
|
|
1652
|
+
recordAllowlistUse(phase.approvals.file, phase.agentId, match, phase.commandText, phase.segments[0]?.resolution?.resolvedPath);
|
|
1653
|
+
}
|
|
1654
|
+
}
|
|
1655
|
+
if (phase.needsScreenRecording) {
|
|
1656
|
+
await sendSystemRunDenied(opts, phase.execution, {
|
|
1657
|
+
reason: "permission:screenRecording",
|
|
1658
|
+
message: "PERMISSION_MISSING: screenRecording"
|
|
1659
|
+
});
|
|
1660
|
+
return;
|
|
1661
|
+
}
|
|
1662
|
+
const execArgv = resolveSystemRunExecArgv({
|
|
1663
|
+
plannedAllowlistArgv: phase.plannedAllowlistArgv,
|
|
1664
|
+
argv: phase.argv,
|
|
1665
|
+
security: phase.security,
|
|
1666
|
+
isWindows: phase.isWindows,
|
|
1667
|
+
policy: phase.policy,
|
|
1668
|
+
shellCommand: phase.shellPayload,
|
|
1669
|
+
segments: phase.segments
|
|
1670
|
+
});
|
|
1671
|
+
const result = await opts.runCommand(execArgv, phase.cwd, phase.env, phase.timeoutMs);
|
|
1672
|
+
applyOutputTruncation(result);
|
|
1673
|
+
await sendSystemRunCompleted(opts, phase.execution, result, JSON.stringify({
|
|
1674
|
+
exitCode: result.exitCode,
|
|
1675
|
+
timedOut: result.timedOut,
|
|
1676
|
+
success: result.success,
|
|
1677
|
+
stdout: result.stdout,
|
|
1678
|
+
stderr: result.stderr,
|
|
1679
|
+
error: result.error ?? null
|
|
1680
|
+
}));
|
|
1681
|
+
}
|
|
1682
|
+
async function handleSystemRunInvoke(opts) {
|
|
1683
|
+
const parsed = await parseSystemRunPhase(opts);
|
|
1684
|
+
if (!parsed) return;
|
|
1685
|
+
const policyPhase = await evaluateSystemRunPolicyPhase(opts, parsed);
|
|
1686
|
+
if (!policyPhase) return;
|
|
1687
|
+
await executeSystemRunPhase(opts, policyPhase);
|
|
1688
|
+
}
|
|
1689
|
+
//#endregion
|
|
1690
|
+
//#region src/node-host/invoke.ts
|
|
1691
|
+
const OUTPUT_CAP = 2e5;
|
|
1692
|
+
const OUTPUT_EVENT_TAIL = 2e4;
|
|
1693
|
+
const DEFAULT_NODE_PATH$1 = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
|
|
1694
|
+
const WINDOWS_CODEPAGE_ENCODING_MAP = {
|
|
1695
|
+
65001: "utf-8",
|
|
1696
|
+
54936: "gb18030",
|
|
1697
|
+
936: "gbk",
|
|
1698
|
+
950: "big5",
|
|
1699
|
+
932: "shift_jis",
|
|
1700
|
+
949: "euc-kr",
|
|
1701
|
+
1252: "windows-1252"
|
|
1702
|
+
};
|
|
1703
|
+
let cachedWindowsConsoleEncoding;
|
|
1704
|
+
const execHostEnforced = process.env.MOLDCLAW_NODE_EXEC_HOST?.trim().toLowerCase() === "app";
|
|
1705
|
+
const execHostFallbackAllowed = process.env.MOLDCLAW_NODE_EXEC_FALLBACK?.trim().toLowerCase() !== "0";
|
|
1706
|
+
const preferMacAppExecHost = process.platform === "darwin" && execHostEnforced;
|
|
1707
|
+
function resolveExecSecurity(value) {
|
|
1708
|
+
return value === "deny" || value === "allowlist" || value === "full" ? value : "allowlist";
|
|
1709
|
+
}
|
|
1710
|
+
function isCmdExeInvocation(argv) {
|
|
1711
|
+
const token = argv[0]?.trim();
|
|
1712
|
+
if (!token) return false;
|
|
1713
|
+
const base = path.win32.basename(token).toLowerCase();
|
|
1714
|
+
return base === "cmd.exe" || base === "cmd";
|
|
1715
|
+
}
|
|
1716
|
+
function resolveExecAsk(value) {
|
|
1717
|
+
return value === "off" || value === "on-miss" || value === "always" ? value : "on-miss";
|
|
1718
|
+
}
|
|
1719
|
+
function sanitizeEnv(overrides) {
|
|
1720
|
+
return sanitizeHostExecEnv({
|
|
1721
|
+
overrides,
|
|
1722
|
+
blockPathOverrides: true
|
|
1723
|
+
});
|
|
1724
|
+
}
|
|
1725
|
+
function truncateOutput(raw, maxChars) {
|
|
1726
|
+
if (raw.length <= maxChars) return {
|
|
1727
|
+
text: raw,
|
|
1728
|
+
truncated: false
|
|
1729
|
+
};
|
|
1730
|
+
return {
|
|
1731
|
+
text: `... (truncated) ${raw.slice(raw.length - maxChars)}`,
|
|
1732
|
+
truncated: true
|
|
1733
|
+
};
|
|
1734
|
+
}
|
|
1735
|
+
function parseWindowsCodePage(raw) {
|
|
1736
|
+
if (!raw) return null;
|
|
1737
|
+
const match = raw.match(/\b(\d{3,5})\b/);
|
|
1738
|
+
if (!match?.[1]) return null;
|
|
1739
|
+
const codePage = Number.parseInt(match[1], 10);
|
|
1740
|
+
if (!Number.isFinite(codePage) || codePage <= 0) return null;
|
|
1741
|
+
return codePage;
|
|
1742
|
+
}
|
|
1743
|
+
function resolveWindowsConsoleEncoding() {
|
|
1744
|
+
if (process.platform !== "win32") return null;
|
|
1745
|
+
if (cachedWindowsConsoleEncoding !== void 0) return cachedWindowsConsoleEncoding;
|
|
1746
|
+
try {
|
|
1747
|
+
const result = spawnSync("cmd.exe", [
|
|
1748
|
+
"/d",
|
|
1749
|
+
"/s",
|
|
1750
|
+
"/c",
|
|
1751
|
+
"chcp"
|
|
1752
|
+
], {
|
|
1753
|
+
windowsHide: true,
|
|
1754
|
+
encoding: "utf8",
|
|
1755
|
+
stdio: [
|
|
1756
|
+
"ignore",
|
|
1757
|
+
"pipe",
|
|
1758
|
+
"pipe"
|
|
1759
|
+
]
|
|
1760
|
+
});
|
|
1761
|
+
const codePage = parseWindowsCodePage(`${result.stdout ?? ""}\n${result.stderr ?? ""}`);
|
|
1762
|
+
cachedWindowsConsoleEncoding = codePage !== null ? WINDOWS_CODEPAGE_ENCODING_MAP[codePage] ?? null : null;
|
|
1763
|
+
} catch {
|
|
1764
|
+
cachedWindowsConsoleEncoding = null;
|
|
1765
|
+
}
|
|
1766
|
+
return cachedWindowsConsoleEncoding;
|
|
1767
|
+
}
|
|
1768
|
+
function decodeCapturedOutputBuffer(params) {
|
|
1769
|
+
const utf8 = params.buffer.toString("utf8");
|
|
1770
|
+
if ((params.platform ?? process.platform) !== "win32") return utf8;
|
|
1771
|
+
const encoding = params.windowsEncoding ?? resolveWindowsConsoleEncoding();
|
|
1772
|
+
if (!encoding || encoding.toLowerCase() === "utf-8") return utf8;
|
|
1773
|
+
try {
|
|
1774
|
+
return new TextDecoder(encoding).decode(params.buffer);
|
|
1775
|
+
} catch {
|
|
1776
|
+
return utf8;
|
|
1777
|
+
}
|
|
1778
|
+
}
|
|
1779
|
+
function redactExecApprovals(file) {
|
|
1780
|
+
const socketPath = file.socket?.path?.trim();
|
|
1781
|
+
return {
|
|
1782
|
+
...file,
|
|
1783
|
+
socket: socketPath ? { path: socketPath } : void 0
|
|
1784
|
+
};
|
|
1785
|
+
}
|
|
1786
|
+
function requireExecApprovalsBaseHash(params, snapshot) {
|
|
1787
|
+
if (!snapshot.exists) return;
|
|
1788
|
+
if (!snapshot.hash) throw new Error("INVALID_REQUEST: exec approvals base hash unavailable; reload and retry");
|
|
1789
|
+
const baseHash = typeof params.baseHash === "string" ? params.baseHash.trim() : "";
|
|
1790
|
+
if (!baseHash) throw new Error("INVALID_REQUEST: exec approvals base hash required; reload and retry");
|
|
1791
|
+
if (baseHash !== snapshot.hash) throw new Error("INVALID_REQUEST: exec approvals changed; reload and retry");
|
|
1792
|
+
}
|
|
1793
|
+
async function runCommand(argv, cwd, env, timeoutMs) {
|
|
1794
|
+
return await new Promise((resolve) => {
|
|
1795
|
+
const stdoutChunks = [];
|
|
1796
|
+
const stderrChunks = [];
|
|
1797
|
+
let outputLen = 0;
|
|
1798
|
+
let truncated = false;
|
|
1799
|
+
let timedOut = false;
|
|
1800
|
+
let settled = false;
|
|
1801
|
+
const windowsEncoding = resolveWindowsConsoleEncoding();
|
|
1802
|
+
const child = spawn(argv[0], argv.slice(1), {
|
|
1803
|
+
cwd,
|
|
1804
|
+
env,
|
|
1805
|
+
stdio: [
|
|
1806
|
+
"ignore",
|
|
1807
|
+
"pipe",
|
|
1808
|
+
"pipe"
|
|
1809
|
+
],
|
|
1810
|
+
windowsHide: true
|
|
1811
|
+
});
|
|
1812
|
+
const onChunk = (chunk, target) => {
|
|
1813
|
+
if (outputLen >= OUTPUT_CAP) {
|
|
1814
|
+
truncated = true;
|
|
1815
|
+
return;
|
|
1816
|
+
}
|
|
1817
|
+
const remaining = OUTPUT_CAP - outputLen;
|
|
1818
|
+
const slice = chunk.length > remaining ? chunk.subarray(0, remaining) : chunk;
|
|
1819
|
+
outputLen += slice.length;
|
|
1820
|
+
if (target === "stdout") stdoutChunks.push(slice);
|
|
1821
|
+
else stderrChunks.push(slice);
|
|
1822
|
+
if (chunk.length > remaining) truncated = true;
|
|
1823
|
+
};
|
|
1824
|
+
child.stdout?.on("data", (chunk) => onChunk(chunk, "stdout"));
|
|
1825
|
+
child.stderr?.on("data", (chunk) => onChunk(chunk, "stderr"));
|
|
1826
|
+
let timer;
|
|
1827
|
+
if (timeoutMs && timeoutMs > 0) timer = setTimeout(() => {
|
|
1828
|
+
timedOut = true;
|
|
1829
|
+
try {
|
|
1830
|
+
child.kill("SIGKILL");
|
|
1831
|
+
} catch {}
|
|
1832
|
+
}, timeoutMs);
|
|
1833
|
+
const finalize = (exitCode, error) => {
|
|
1834
|
+
if (settled) return;
|
|
1835
|
+
settled = true;
|
|
1836
|
+
if (timer) clearTimeout(timer);
|
|
1837
|
+
const stdout = decodeCapturedOutputBuffer({
|
|
1838
|
+
buffer: Buffer.concat(stdoutChunks),
|
|
1839
|
+
windowsEncoding
|
|
1840
|
+
});
|
|
1841
|
+
const stderr = decodeCapturedOutputBuffer({
|
|
1842
|
+
buffer: Buffer.concat(stderrChunks),
|
|
1843
|
+
windowsEncoding
|
|
1844
|
+
});
|
|
1845
|
+
resolve({
|
|
1846
|
+
exitCode,
|
|
1847
|
+
timedOut,
|
|
1848
|
+
success: exitCode === 0 && !timedOut && !error,
|
|
1849
|
+
stdout,
|
|
1850
|
+
stderr,
|
|
1851
|
+
error: error ?? null,
|
|
1852
|
+
truncated
|
|
1853
|
+
});
|
|
1854
|
+
};
|
|
1855
|
+
child.on("error", (err) => {
|
|
1856
|
+
finalize(void 0, err.message);
|
|
1857
|
+
});
|
|
1858
|
+
child.on("exit", (code) => {
|
|
1859
|
+
finalize(code === null ? void 0 : code, null);
|
|
1860
|
+
});
|
|
1861
|
+
});
|
|
1862
|
+
}
|
|
1863
|
+
function resolveEnvPath(env) {
|
|
1864
|
+
return (env?.PATH ?? env?.Path ?? process.env.PATH ?? process.env.Path ?? DEFAULT_NODE_PATH$1).split(path.delimiter).filter(Boolean);
|
|
1865
|
+
}
|
|
1866
|
+
function resolveExecutable(bin, env) {
|
|
1867
|
+
if (bin.includes("/") || bin.includes("\\")) return null;
|
|
1868
|
+
const extensions = process.platform === "win32" ? (process.env.PATHEXT ?? process.env.PathExt ?? ".EXE;.CMD;.BAT;.COM").split(";").map((ext) => ext.toLowerCase()) : [""];
|
|
1869
|
+
for (const dir of resolveEnvPath(env)) for (const ext of extensions) {
|
|
1870
|
+
const candidate = path.join(dir, bin + ext);
|
|
1871
|
+
if (fs.existsSync(candidate)) return candidate;
|
|
1872
|
+
}
|
|
1873
|
+
return null;
|
|
1874
|
+
}
|
|
1875
|
+
async function handleSystemWhich(params, env) {
|
|
1876
|
+
const bins = params.bins.map((bin) => bin.trim()).filter(Boolean);
|
|
1877
|
+
const found = {};
|
|
1878
|
+
for (const bin of bins) {
|
|
1879
|
+
const path = resolveExecutable(bin, env);
|
|
1880
|
+
if (path) found[bin] = path;
|
|
1881
|
+
}
|
|
1882
|
+
return { bins: found };
|
|
1883
|
+
}
|
|
1884
|
+
function buildExecEventPayload(payload) {
|
|
1885
|
+
if (!payload.output) return payload;
|
|
1886
|
+
const trimmed = payload.output.trim();
|
|
1887
|
+
if (!trimmed) return payload;
|
|
1888
|
+
const { text } = truncateOutput(trimmed, OUTPUT_EVENT_TAIL);
|
|
1889
|
+
return {
|
|
1890
|
+
...payload,
|
|
1891
|
+
output: text
|
|
1892
|
+
};
|
|
1893
|
+
}
|
|
1894
|
+
async function sendExecFinishedEvent(params) {
|
|
1895
|
+
const combined = [
|
|
1896
|
+
params.result.stdout,
|
|
1897
|
+
params.result.stderr,
|
|
1898
|
+
params.result.error
|
|
1899
|
+
].filter(Boolean).join("\n");
|
|
1900
|
+
await sendNodeEvent(params.client, "exec.finished", buildExecEventPayload({
|
|
1901
|
+
sessionKey: params.sessionKey,
|
|
1902
|
+
runId: params.runId,
|
|
1903
|
+
host: "node",
|
|
1904
|
+
command: params.commandText,
|
|
1905
|
+
exitCode: params.result.exitCode ?? void 0,
|
|
1906
|
+
timedOut: params.result.timedOut,
|
|
1907
|
+
success: params.result.success,
|
|
1908
|
+
output: combined,
|
|
1909
|
+
suppressNotifyOnExit: params.suppressNotifyOnExit
|
|
1910
|
+
}));
|
|
1911
|
+
}
|
|
1912
|
+
async function runViaMacAppExecHost(params) {
|
|
1913
|
+
const { approvals, request } = params;
|
|
1914
|
+
return await requestExecHostViaSocket({
|
|
1915
|
+
socketPath: approvals.socketPath,
|
|
1916
|
+
token: approvals.token,
|
|
1917
|
+
request
|
|
1918
|
+
});
|
|
1919
|
+
}
|
|
1920
|
+
async function sendJsonPayloadResult(client, frame, payload) {
|
|
1921
|
+
await sendInvokeResult(client, frame, {
|
|
1922
|
+
ok: true,
|
|
1923
|
+
payloadJSON: JSON.stringify(payload)
|
|
1924
|
+
});
|
|
1925
|
+
}
|
|
1926
|
+
async function sendRawPayloadResult(client, frame, payloadJSON) {
|
|
1927
|
+
await sendInvokeResult(client, frame, {
|
|
1928
|
+
ok: true,
|
|
1929
|
+
payloadJSON
|
|
1930
|
+
});
|
|
1931
|
+
}
|
|
1932
|
+
async function sendErrorResult(client, frame, code, message) {
|
|
1933
|
+
await sendInvokeResult(client, frame, {
|
|
1934
|
+
ok: false,
|
|
1935
|
+
error: {
|
|
1936
|
+
code,
|
|
1937
|
+
message
|
|
1938
|
+
}
|
|
1939
|
+
});
|
|
1940
|
+
}
|
|
1941
|
+
async function sendInvalidRequestResult(client, frame, err) {
|
|
1942
|
+
await sendErrorResult(client, frame, "INVALID_REQUEST", String(err));
|
|
1943
|
+
}
|
|
1944
|
+
async function handleInvoke(frame, client, skillBins) {
|
|
1945
|
+
const command = String(frame.command ?? "");
|
|
1946
|
+
if (command === "system.execApprovals.get") {
|
|
1947
|
+
try {
|
|
1948
|
+
ensureExecApprovals();
|
|
1949
|
+
const snapshot = readExecApprovalsSnapshot();
|
|
1950
|
+
await sendJsonPayloadResult(client, frame, {
|
|
1951
|
+
path: snapshot.path,
|
|
1952
|
+
exists: snapshot.exists,
|
|
1953
|
+
hash: snapshot.hash,
|
|
1954
|
+
file: redactExecApprovals(snapshot.file)
|
|
1955
|
+
});
|
|
1956
|
+
} catch (err) {
|
|
1957
|
+
const message = String(err);
|
|
1958
|
+
await sendErrorResult(client, frame, message.toLowerCase().includes("timed out") ? "TIMEOUT" : "INVALID_REQUEST", message);
|
|
1959
|
+
}
|
|
1960
|
+
return;
|
|
1961
|
+
}
|
|
1962
|
+
if (command === "system.execApprovals.set") {
|
|
1963
|
+
try {
|
|
1964
|
+
const params = decodeParams(frame.paramsJSON);
|
|
1965
|
+
if (!params.file || typeof params.file !== "object") throw new Error("INVALID_REQUEST: exec approvals file required");
|
|
1966
|
+
ensureExecApprovals();
|
|
1967
|
+
const snapshot = readExecApprovalsSnapshot();
|
|
1968
|
+
requireExecApprovalsBaseHash(params, snapshot);
|
|
1969
|
+
saveExecApprovals(mergeExecApprovalsSocketDefaults({
|
|
1970
|
+
normalized: normalizeExecApprovals(params.file),
|
|
1971
|
+
current: snapshot.file
|
|
1972
|
+
}));
|
|
1973
|
+
const nextSnapshot = readExecApprovalsSnapshot();
|
|
1974
|
+
await sendJsonPayloadResult(client, frame, {
|
|
1975
|
+
path: nextSnapshot.path,
|
|
1976
|
+
exists: nextSnapshot.exists,
|
|
1977
|
+
hash: nextSnapshot.hash,
|
|
1978
|
+
file: redactExecApprovals(nextSnapshot.file)
|
|
1979
|
+
});
|
|
1980
|
+
} catch (err) {
|
|
1981
|
+
await sendInvalidRequestResult(client, frame, err);
|
|
1982
|
+
}
|
|
1983
|
+
return;
|
|
1984
|
+
}
|
|
1985
|
+
if (command === "system.which") {
|
|
1986
|
+
try {
|
|
1987
|
+
const params = decodeParams(frame.paramsJSON);
|
|
1988
|
+
if (!Array.isArray(params.bins)) throw new Error("INVALID_REQUEST: bins required");
|
|
1989
|
+
await sendJsonPayloadResult(client, frame, await handleSystemWhich(params, sanitizeEnv(void 0)));
|
|
1990
|
+
} catch (err) {
|
|
1991
|
+
await sendInvalidRequestResult(client, frame, err);
|
|
1992
|
+
}
|
|
1993
|
+
return;
|
|
1994
|
+
}
|
|
1995
|
+
if (command === "browser.proxy") {
|
|
1996
|
+
try {
|
|
1997
|
+
await sendRawPayloadResult(client, frame, await runBrowserProxyCommand(frame.paramsJSON));
|
|
1998
|
+
} catch (err) {
|
|
1999
|
+
await sendInvalidRequestResult(client, frame, err);
|
|
2000
|
+
}
|
|
2001
|
+
return;
|
|
2002
|
+
}
|
|
2003
|
+
if (command === "system.run.prepare") {
|
|
2004
|
+
try {
|
|
2005
|
+
const prepared = buildSystemRunApprovalPlan(decodeParams(frame.paramsJSON));
|
|
2006
|
+
if (!prepared.ok) {
|
|
2007
|
+
await sendErrorResult(client, frame, "INVALID_REQUEST", prepared.message);
|
|
2008
|
+
return;
|
|
2009
|
+
}
|
|
2010
|
+
await sendJsonPayloadResult(client, frame, { plan: prepared.plan });
|
|
2011
|
+
} catch (err) {
|
|
2012
|
+
await sendInvalidRequestResult(client, frame, err);
|
|
2013
|
+
}
|
|
2014
|
+
return;
|
|
2015
|
+
}
|
|
2016
|
+
if (command !== "system.run") {
|
|
2017
|
+
await sendErrorResult(client, frame, "UNAVAILABLE", "command not supported");
|
|
2018
|
+
return;
|
|
2019
|
+
}
|
|
2020
|
+
let params;
|
|
2021
|
+
try {
|
|
2022
|
+
params = decodeParams(frame.paramsJSON);
|
|
2023
|
+
} catch (err) {
|
|
2024
|
+
await sendInvalidRequestResult(client, frame, err);
|
|
2025
|
+
return;
|
|
2026
|
+
}
|
|
2027
|
+
if (!Array.isArray(params.command) || params.command.length === 0) {
|
|
2028
|
+
await sendErrorResult(client, frame, "INVALID_REQUEST", "command required");
|
|
2029
|
+
return;
|
|
2030
|
+
}
|
|
2031
|
+
await handleSystemRunInvoke({
|
|
2032
|
+
client,
|
|
2033
|
+
params,
|
|
2034
|
+
skillBins,
|
|
2035
|
+
execHostEnforced,
|
|
2036
|
+
execHostFallbackAllowed,
|
|
2037
|
+
resolveExecSecurity,
|
|
2038
|
+
resolveExecAsk,
|
|
2039
|
+
isCmdExeInvocation,
|
|
2040
|
+
sanitizeEnv,
|
|
2041
|
+
runCommand,
|
|
2042
|
+
runViaMacAppExecHost,
|
|
2043
|
+
sendNodeEvent,
|
|
2044
|
+
buildExecEventPayload,
|
|
2045
|
+
sendInvokeResult: async (result) => {
|
|
2046
|
+
await sendInvokeResult(client, frame, result);
|
|
2047
|
+
},
|
|
2048
|
+
sendExecFinishedEvent: async ({ sessionKey, runId, commandText, result }) => {
|
|
2049
|
+
await sendExecFinishedEvent({
|
|
2050
|
+
client,
|
|
2051
|
+
sessionKey,
|
|
2052
|
+
runId,
|
|
2053
|
+
commandText,
|
|
2054
|
+
result
|
|
2055
|
+
});
|
|
2056
|
+
},
|
|
2057
|
+
preferMacAppExecHost
|
|
2058
|
+
});
|
|
2059
|
+
}
|
|
2060
|
+
function decodeParams(raw) {
|
|
2061
|
+
if (!raw) throw new Error("INVALID_REQUEST: paramsJSON required");
|
|
2062
|
+
return JSON.parse(raw);
|
|
2063
|
+
}
|
|
2064
|
+
function coerceNodeInvokePayload(payload) {
|
|
2065
|
+
if (!payload || typeof payload !== "object") return null;
|
|
2066
|
+
const obj = payload;
|
|
2067
|
+
const id = typeof obj.id === "string" ? obj.id.trim() : "";
|
|
2068
|
+
const nodeId = typeof obj.nodeId === "string" ? obj.nodeId.trim() : "";
|
|
2069
|
+
const command = typeof obj.command === "string" ? obj.command.trim() : "";
|
|
2070
|
+
if (!id || !nodeId || !command) return null;
|
|
2071
|
+
return {
|
|
2072
|
+
id,
|
|
2073
|
+
nodeId,
|
|
2074
|
+
command,
|
|
2075
|
+
paramsJSON: typeof obj.paramsJSON === "string" ? obj.paramsJSON : obj.params !== void 0 ? JSON.stringify(obj.params) : null,
|
|
2076
|
+
timeoutMs: typeof obj.timeoutMs === "number" ? obj.timeoutMs : null,
|
|
2077
|
+
idempotencyKey: typeof obj.idempotencyKey === "string" ? obj.idempotencyKey : null
|
|
2078
|
+
};
|
|
2079
|
+
}
|
|
2080
|
+
async function sendInvokeResult(client, frame, result) {
|
|
2081
|
+
try {
|
|
2082
|
+
await client.request("node.invoke.result", buildNodeInvokeResultParams(frame, result));
|
|
2083
|
+
} catch {}
|
|
2084
|
+
}
|
|
2085
|
+
function buildNodeInvokeResultParams(frame, result) {
|
|
2086
|
+
const params = {
|
|
2087
|
+
id: frame.id,
|
|
2088
|
+
nodeId: frame.nodeId,
|
|
2089
|
+
ok: result.ok
|
|
2090
|
+
};
|
|
2091
|
+
if (result.payload !== void 0) params.payload = result.payload;
|
|
2092
|
+
if (typeof result.payloadJSON === "string") params.payloadJSON = result.payloadJSON;
|
|
2093
|
+
if (result.error) params.error = result.error;
|
|
2094
|
+
return params;
|
|
2095
|
+
}
|
|
2096
|
+
async function sendNodeEvent(client, event, payload) {
|
|
2097
|
+
try {
|
|
2098
|
+
await client.request("node.event", {
|
|
2099
|
+
event,
|
|
2100
|
+
payloadJSON: payload ? JSON.stringify(payload) : null
|
|
2101
|
+
});
|
|
2102
|
+
} catch {}
|
|
2103
|
+
}
|
|
2104
|
+
//#endregion
|
|
2105
|
+
//#region src/node-host/runner.ts
|
|
2106
|
+
const DEFAULT_NODE_PATH = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
|
|
2107
|
+
function resolveExecutablePathFromEnv(bin, pathEnv) {
|
|
2108
|
+
if (bin.includes("/") || bin.includes("\\")) return null;
|
|
2109
|
+
return resolveExecutableFromPathEnv(bin, pathEnv) ?? null;
|
|
2110
|
+
}
|
|
2111
|
+
function resolveSkillBinTrustEntries(bins, pathEnv) {
|
|
2112
|
+
const trustEntries = [];
|
|
2113
|
+
const seen = /* @__PURE__ */ new Set();
|
|
2114
|
+
for (const bin of bins) {
|
|
2115
|
+
const name = bin.trim();
|
|
2116
|
+
if (!name) continue;
|
|
2117
|
+
const resolvedPath = resolveExecutablePathFromEnv(name, pathEnv);
|
|
2118
|
+
if (!resolvedPath) continue;
|
|
2119
|
+
const key = `${name}\u0000${resolvedPath}`;
|
|
2120
|
+
if (seen.has(key)) continue;
|
|
2121
|
+
seen.add(key);
|
|
2122
|
+
trustEntries.push({
|
|
2123
|
+
name,
|
|
2124
|
+
resolvedPath
|
|
2125
|
+
});
|
|
2126
|
+
}
|
|
2127
|
+
return trustEntries.toSorted((left, right) => left.name.localeCompare(right.name) || left.resolvedPath.localeCompare(right.resolvedPath));
|
|
2128
|
+
}
|
|
2129
|
+
var SkillBinsCache = class {
|
|
2130
|
+
constructor(fetch, pathEnv) {
|
|
2131
|
+
this.bins = [];
|
|
2132
|
+
this.lastRefresh = 0;
|
|
2133
|
+
this.ttlMs = 9e4;
|
|
2134
|
+
this.fetch = fetch;
|
|
2135
|
+
this.pathEnv = pathEnv;
|
|
2136
|
+
}
|
|
2137
|
+
async current(force = false) {
|
|
2138
|
+
if (force || Date.now() - this.lastRefresh > this.ttlMs) await this.refresh();
|
|
2139
|
+
return this.bins;
|
|
2140
|
+
}
|
|
2141
|
+
async refresh() {
|
|
2142
|
+
try {
|
|
2143
|
+
this.bins = resolveSkillBinTrustEntries(await this.fetch(), this.pathEnv);
|
|
2144
|
+
this.lastRefresh = Date.now();
|
|
2145
|
+
} catch {
|
|
2146
|
+
if (!this.lastRefresh) this.bins = [];
|
|
2147
|
+
}
|
|
2148
|
+
}
|
|
2149
|
+
};
|
|
2150
|
+
function ensureNodePathEnv() {
|
|
2151
|
+
ensuremoldClawCliOnPath({ pathEnv: process.env.PATH ?? "" });
|
|
2152
|
+
const current = process.env.PATH ?? "";
|
|
2153
|
+
if (current.trim()) return current;
|
|
2154
|
+
process.env.PATH = DEFAULT_NODE_PATH;
|
|
2155
|
+
return DEFAULT_NODE_PATH;
|
|
2156
|
+
}
|
|
2157
|
+
async function resolveNodeHostGatewayCredentials(params) {
|
|
2158
|
+
return await resolveGatewayConnectionAuth({
|
|
2159
|
+
config: (params.config.gateway?.mode === "remote" ? "remote" : "local") === "local" ? buildNodeHostLocalAuthConfig(params.config) : params.config,
|
|
2160
|
+
env: params.env,
|
|
2161
|
+
includeLegacyEnv: false,
|
|
2162
|
+
localTokenPrecedence: "env-first",
|
|
2163
|
+
localPasswordPrecedence: "env-first",
|
|
2164
|
+
remoteTokenPrecedence: "env-first",
|
|
2165
|
+
remotePasswordPrecedence: "env-first"
|
|
2166
|
+
});
|
|
2167
|
+
}
|
|
2168
|
+
function buildNodeHostLocalAuthConfig(config) {
|
|
2169
|
+
if (!config.gateway?.remote?.token && !config.gateway?.remote?.password) return config;
|
|
2170
|
+
const nextConfig = structuredClone(config);
|
|
2171
|
+
if (nextConfig.gateway?.remote) {
|
|
2172
|
+
nextConfig.gateway.remote.token = void 0;
|
|
2173
|
+
nextConfig.gateway.remote.password = void 0;
|
|
2174
|
+
}
|
|
2175
|
+
return nextConfig;
|
|
2176
|
+
}
|
|
2177
|
+
async function runNodeHost(opts) {
|
|
2178
|
+
const config = await ensureNodeHostConfig();
|
|
2179
|
+
const nodeId = opts.nodeId?.trim() || config.nodeId;
|
|
2180
|
+
if (nodeId !== config.nodeId) config.nodeId = nodeId;
|
|
2181
|
+
const displayName = opts.displayName?.trim() || config.displayName || await getMachineDisplayName();
|
|
2182
|
+
config.displayName = displayName;
|
|
2183
|
+
const gateway = {
|
|
2184
|
+
host: opts.gatewayHost,
|
|
2185
|
+
port: opts.gatewayPort,
|
|
2186
|
+
tls: opts.gatewayTls ?? loadConfig().gateway?.tls?.enabled ?? false,
|
|
2187
|
+
tlsFingerprint: opts.gatewayTlsFingerprint
|
|
2188
|
+
};
|
|
2189
|
+
config.gateway = gateway;
|
|
2190
|
+
await saveNodeHostConfig(config);
|
|
2191
|
+
const cfg = loadConfig();
|
|
2192
|
+
const resolvedBrowser = resolveBrowserConfig(cfg.browser, cfg);
|
|
2193
|
+
const browserProxyEnabled = cfg.nodeHost?.browserProxy?.enabled !== false && resolvedBrowser.enabled;
|
|
2194
|
+
const { token, password } = await resolveNodeHostGatewayCredentials({
|
|
2195
|
+
config: cfg,
|
|
2196
|
+
env: process.env
|
|
2197
|
+
});
|
|
2198
|
+
const host = gateway.host ?? "127.0.0.1";
|
|
2199
|
+
const port = gateway.port ?? 28789;
|
|
2200
|
+
const url = `${gateway.tls ? "wss" : "ws"}://${host}:${port}`;
|
|
2201
|
+
const pathEnv = ensureNodePathEnv();
|
|
2202
|
+
const client = new GatewayClient({
|
|
2203
|
+
url,
|
|
2204
|
+
token: token || void 0,
|
|
2205
|
+
password: password || void 0,
|
|
2206
|
+
instanceId: nodeId,
|
|
2207
|
+
clientName: GATEWAY_CLIENT_NAMES.NODE_HOST,
|
|
2208
|
+
clientDisplayName: displayName,
|
|
2209
|
+
clientVersion: VERSION,
|
|
2210
|
+
platform: process.platform,
|
|
2211
|
+
mode: GATEWAY_CLIENT_MODES.NODE,
|
|
2212
|
+
role: "node",
|
|
2213
|
+
scopes: [],
|
|
2214
|
+
caps: ["system", ...browserProxyEnabled ? ["browser"] : []],
|
|
2215
|
+
commands: [
|
|
2216
|
+
...NODE_SYSTEM_RUN_COMMANDS,
|
|
2217
|
+
...NODE_EXEC_APPROVALS_COMMANDS,
|
|
2218
|
+
...browserProxyEnabled ? [NODE_BROWSER_PROXY_COMMAND] : []
|
|
2219
|
+
],
|
|
2220
|
+
pathEnv,
|
|
2221
|
+
permissions: void 0,
|
|
2222
|
+
deviceIdentity: loadOrCreateDeviceIdentity(),
|
|
2223
|
+
tlsFingerprint: gateway.tlsFingerprint,
|
|
2224
|
+
onEvent: (evt) => {
|
|
2225
|
+
if (evt.event !== "node.invoke.request") return;
|
|
2226
|
+
const payload = coerceNodeInvokePayload(evt.payload);
|
|
2227
|
+
if (!payload) return;
|
|
2228
|
+
handleInvoke(payload, client, skillBins);
|
|
2229
|
+
},
|
|
2230
|
+
onConnectError: (err) => {
|
|
2231
|
+
console.error(`node host gateway connect failed: ${err.message}`);
|
|
2232
|
+
},
|
|
2233
|
+
onClose: (code, reason) => {
|
|
2234
|
+
console.error(`node host gateway closed (${code}): ${reason}`);
|
|
2235
|
+
}
|
|
2236
|
+
});
|
|
2237
|
+
const skillBins = new SkillBinsCache(async () => {
|
|
2238
|
+
const res = await client.request("skills.bins", {});
|
|
2239
|
+
return Array.isArray(res?.bins) ? res.bins.map((bin) => String(bin)) : [];
|
|
2240
|
+
}, pathEnv);
|
|
2241
|
+
client.start();
|
|
2242
|
+
await new Promise(() => {});
|
|
2243
|
+
}
|
|
2244
|
+
//#endregion
|
|
2245
|
+
//#region src/commands/node-daemon-install-helpers.ts
|
|
2246
|
+
async function buildNodeInstallPlan(params) {
|
|
2247
|
+
const { devMode, nodePath } = await resolveDaemonInstallRuntimeInputs({
|
|
2248
|
+
env: params.env,
|
|
2249
|
+
runtime: params.runtime,
|
|
2250
|
+
devMode: params.devMode,
|
|
2251
|
+
nodePath: params.nodePath
|
|
2252
|
+
});
|
|
2253
|
+
const { programArguments, workingDirectory } = await resolveNodeProgramArguments({
|
|
2254
|
+
host: params.host,
|
|
2255
|
+
port: params.port,
|
|
2256
|
+
tls: params.tls,
|
|
2257
|
+
tlsFingerprint: params.tlsFingerprint,
|
|
2258
|
+
nodeId: params.nodeId,
|
|
2259
|
+
displayName: params.displayName,
|
|
2260
|
+
dev: devMode,
|
|
2261
|
+
runtime: params.runtime,
|
|
2262
|
+
nodePath
|
|
2263
|
+
});
|
|
2264
|
+
await emitDaemonInstallRuntimeWarning({
|
|
2265
|
+
env: params.env,
|
|
2266
|
+
runtime: params.runtime,
|
|
2267
|
+
programArguments,
|
|
2268
|
+
warn: params.warn,
|
|
2269
|
+
title: "Node daemon runtime"
|
|
2270
|
+
});
|
|
2271
|
+
const environment = buildNodeServiceEnvironment({ env: params.env });
|
|
2272
|
+
return {
|
|
2273
|
+
programArguments,
|
|
2274
|
+
workingDirectory,
|
|
2275
|
+
environment,
|
|
2276
|
+
description: formatNodeServiceDescription({ version: environment.MOLDCLAW_SERVICE_VERSION })
|
|
2277
|
+
};
|
|
2278
|
+
}
|
|
2279
|
+
//#endregion
|
|
2280
|
+
//#region src/commands/node-daemon-runtime.ts
|
|
2281
|
+
const DEFAULT_NODE_DAEMON_RUNTIME = DEFAULT_GATEWAY_DAEMON_RUNTIME;
|
|
2282
|
+
function isNodeDaemonRuntime(value) {
|
|
2283
|
+
return isGatewayDaemonRuntime(value);
|
|
2284
|
+
}
|
|
2285
|
+
//#endregion
|
|
2286
|
+
//#region src/cli/node-cli/daemon.ts
|
|
2287
|
+
function renderNodeServiceStartHints() {
|
|
2288
|
+
return buildPlatformServiceStartHints({
|
|
2289
|
+
installCommand: formatCliCommand("moldclaw node install"),
|
|
2290
|
+
startCommand: formatCliCommand("moldclaw node start"),
|
|
2291
|
+
launchAgentPlistPath: `~/Library/LaunchAgents/${resolveNodeLaunchAgentLabel()}.plist`,
|
|
2292
|
+
systemdServiceName: resolveNodeSystemdServiceName(),
|
|
2293
|
+
windowsTaskName: resolveNodeWindowsTaskName()
|
|
2294
|
+
});
|
|
2295
|
+
}
|
|
2296
|
+
function buildNodeRuntimeHints(env = process.env) {
|
|
2297
|
+
return buildPlatformRuntimeLogHints({
|
|
2298
|
+
env,
|
|
2299
|
+
systemdServiceName: resolveNodeSystemdServiceName(),
|
|
2300
|
+
windowsTaskName: resolveNodeWindowsTaskName()
|
|
2301
|
+
});
|
|
2302
|
+
}
|
|
2303
|
+
function resolveNodeDefaults(opts, config) {
|
|
2304
|
+
const host = opts.host?.trim() || config?.gateway?.host || "127.0.0.1";
|
|
2305
|
+
const portOverride = parsePort(opts.port);
|
|
2306
|
+
if (opts.port !== void 0 && portOverride === null) return {
|
|
2307
|
+
host,
|
|
2308
|
+
port: null
|
|
2309
|
+
};
|
|
2310
|
+
return {
|
|
2311
|
+
host,
|
|
2312
|
+
port: portOverride ?? config?.gateway?.port ?? 28789
|
|
2313
|
+
};
|
|
2314
|
+
}
|
|
2315
|
+
async function runNodeDaemonInstall(opts) {
|
|
2316
|
+
const { json, stdout, warnings, emit, fail } = createDaemonInstallActionContext(opts.json);
|
|
2317
|
+
if (failIfNixDaemonInstallMode(fail)) return;
|
|
2318
|
+
const config = await loadNodeHostConfig();
|
|
2319
|
+
const { host, port } = resolveNodeDefaults(opts, config);
|
|
2320
|
+
if (!Number.isFinite(port ?? NaN) || (port ?? 0) <= 0) {
|
|
2321
|
+
fail("Invalid port");
|
|
2322
|
+
return;
|
|
2323
|
+
}
|
|
2324
|
+
const runtimeRaw = opts.runtime ? String(opts.runtime) : DEFAULT_NODE_DAEMON_RUNTIME;
|
|
2325
|
+
if (!isNodeDaemonRuntime(runtimeRaw)) {
|
|
2326
|
+
fail("Invalid --runtime (use \"node\" or \"bun\")");
|
|
2327
|
+
return;
|
|
2328
|
+
}
|
|
2329
|
+
const service = resolveNodeService();
|
|
2330
|
+
let loaded = false;
|
|
2331
|
+
try {
|
|
2332
|
+
loaded = await service.isLoaded({ env: process.env });
|
|
2333
|
+
} catch (err) {
|
|
2334
|
+
fail(`Node service check failed: ${String(err)}`);
|
|
2335
|
+
return;
|
|
2336
|
+
}
|
|
2337
|
+
if (loaded && !opts.force) {
|
|
2338
|
+
emit({
|
|
2339
|
+
ok: true,
|
|
2340
|
+
result: "already-installed",
|
|
2341
|
+
message: `Node service already ${service.loadedText}.`,
|
|
2342
|
+
service: buildDaemonServiceSnapshot(service, loaded),
|
|
2343
|
+
warnings: warnings.length ? warnings : void 0
|
|
2344
|
+
});
|
|
2345
|
+
if (!json) {
|
|
2346
|
+
defaultRuntime.log(`Node service already ${service.loadedText}.`);
|
|
2347
|
+
defaultRuntime.log(`Reinstall with: ${formatCliCommand("moldclaw node install --force")}`);
|
|
2348
|
+
}
|
|
2349
|
+
return;
|
|
2350
|
+
}
|
|
2351
|
+
const tlsFingerprint = opts.tlsFingerprint?.trim() || config?.gateway?.tlsFingerprint;
|
|
2352
|
+
const tls = Boolean(opts.tls) || Boolean(tlsFingerprint) || Boolean(config?.gateway?.tls);
|
|
2353
|
+
const { programArguments, workingDirectory, environment, description } = await buildNodeInstallPlan({
|
|
2354
|
+
env: process.env,
|
|
2355
|
+
host,
|
|
2356
|
+
port: port ?? 28789,
|
|
2357
|
+
tls,
|
|
2358
|
+
tlsFingerprint: tlsFingerprint || void 0,
|
|
2359
|
+
nodeId: opts.nodeId,
|
|
2360
|
+
displayName: opts.displayName,
|
|
2361
|
+
runtime: runtimeRaw,
|
|
2362
|
+
warn: (message) => {
|
|
2363
|
+
if (json) warnings.push(message);
|
|
2364
|
+
else defaultRuntime.log(message);
|
|
2365
|
+
}
|
|
2366
|
+
});
|
|
2367
|
+
await installDaemonServiceAndEmit({
|
|
2368
|
+
serviceNoun: "Node",
|
|
2369
|
+
service,
|
|
2370
|
+
warnings,
|
|
2371
|
+
emit,
|
|
2372
|
+
fail,
|
|
2373
|
+
install: async () => {
|
|
2374
|
+
await service.install({
|
|
2375
|
+
env: process.env,
|
|
2376
|
+
stdout,
|
|
2377
|
+
programArguments,
|
|
2378
|
+
workingDirectory,
|
|
2379
|
+
environment,
|
|
2380
|
+
description
|
|
2381
|
+
});
|
|
2382
|
+
}
|
|
2383
|
+
});
|
|
2384
|
+
}
|
|
2385
|
+
async function runNodeDaemonUninstall(opts = {}) {
|
|
2386
|
+
return await runServiceUninstall({
|
|
2387
|
+
serviceNoun: "Node",
|
|
2388
|
+
service: resolveNodeService(),
|
|
2389
|
+
opts,
|
|
2390
|
+
stopBeforeUninstall: false,
|
|
2391
|
+
assertNotLoadedAfterUninstall: false
|
|
2392
|
+
});
|
|
2393
|
+
}
|
|
2394
|
+
async function runNodeDaemonRestart(opts = {}) {
|
|
2395
|
+
await runServiceRestart({
|
|
2396
|
+
serviceNoun: "Node",
|
|
2397
|
+
service: resolveNodeService(),
|
|
2398
|
+
renderStartHints: renderNodeServiceStartHints,
|
|
2399
|
+
opts
|
|
2400
|
+
});
|
|
2401
|
+
}
|
|
2402
|
+
async function runNodeDaemonStop(opts = {}) {
|
|
2403
|
+
return await runServiceStop({
|
|
2404
|
+
serviceNoun: "Node",
|
|
2405
|
+
service: resolveNodeService(),
|
|
2406
|
+
opts
|
|
2407
|
+
});
|
|
2408
|
+
}
|
|
2409
|
+
async function runNodeDaemonStatus(opts = {}) {
|
|
2410
|
+
const json = Boolean(opts.json);
|
|
2411
|
+
const service = resolveNodeService();
|
|
2412
|
+
const [loaded, command, runtime] = await Promise.all([
|
|
2413
|
+
service.isLoaded({ env: process.env }).catch(() => false),
|
|
2414
|
+
service.readCommand(process.env).catch(() => null),
|
|
2415
|
+
service.readRuntime(process.env).catch((err) => ({
|
|
2416
|
+
status: "unknown",
|
|
2417
|
+
detail: String(err)
|
|
2418
|
+
}))
|
|
2419
|
+
]);
|
|
2420
|
+
const payload = { service: {
|
|
2421
|
+
...buildDaemonServiceSnapshot(service, loaded),
|
|
2422
|
+
command,
|
|
2423
|
+
runtime
|
|
2424
|
+
} };
|
|
2425
|
+
if (json) {
|
|
2426
|
+
defaultRuntime.log(JSON.stringify(payload, null, 2));
|
|
2427
|
+
return;
|
|
2428
|
+
}
|
|
2429
|
+
const { rich, label, accent, infoText, okText, warnText, errorText } = createCliStatusTextStyles();
|
|
2430
|
+
const serviceStatus = loaded ? okText(service.loadedText) : warnText(service.notLoadedText);
|
|
2431
|
+
defaultRuntime.log(`${label("Service:")} ${accent(service.label)} (${serviceStatus})`);
|
|
2432
|
+
if (command?.programArguments?.length) defaultRuntime.log(`${label("Command:")} ${infoText(command.programArguments.join(" "))}`);
|
|
2433
|
+
if (command?.sourcePath) defaultRuntime.log(`${label("Service file:")} ${infoText(command.sourcePath)}`);
|
|
2434
|
+
if (command?.workingDirectory) defaultRuntime.log(`${label("Working dir:")} ${infoText(command.workingDirectory)}`);
|
|
2435
|
+
const runtimeLine = formatRuntimeStatus(runtime);
|
|
2436
|
+
if (runtimeLine) {
|
|
2437
|
+
const runtimeColor = resolveRuntimeStatusColor(runtime?.status);
|
|
2438
|
+
defaultRuntime.log(`${label("Runtime:")} ${colorize(rich, runtimeColor, runtimeLine)}`);
|
|
2439
|
+
}
|
|
2440
|
+
if (!loaded) {
|
|
2441
|
+
defaultRuntime.log("");
|
|
2442
|
+
for (const hint of renderNodeServiceStartHints()) defaultRuntime.log(`${warnText("Start with:")} ${infoText(hint)}`);
|
|
2443
|
+
return;
|
|
2444
|
+
}
|
|
2445
|
+
const baseEnv = {
|
|
2446
|
+
...process.env,
|
|
2447
|
+
...command?.environment ?? void 0
|
|
2448
|
+
};
|
|
2449
|
+
const hintEnv = {
|
|
2450
|
+
...baseEnv,
|
|
2451
|
+
MOLDCLAW_LOG_PREFIX: baseEnv.MOLDCLAW_LOG_PREFIX ?? "node"
|
|
2452
|
+
};
|
|
2453
|
+
if (runtime?.missingUnit) {
|
|
2454
|
+
defaultRuntime.error(errorText("Service unit not found."));
|
|
2455
|
+
for (const hint of buildNodeRuntimeHints(hintEnv)) defaultRuntime.error(errorText(hint));
|
|
2456
|
+
return;
|
|
2457
|
+
}
|
|
2458
|
+
if (runtime?.status === "stopped") {
|
|
2459
|
+
defaultRuntime.error(errorText("Service is loaded but not running."));
|
|
2460
|
+
for (const hint of buildNodeRuntimeHints(hintEnv)) defaultRuntime.error(errorText(hint));
|
|
2461
|
+
}
|
|
2462
|
+
}
|
|
2463
|
+
//#endregion
|
|
2464
|
+
//#region src/cli/node-cli/register.ts
|
|
2465
|
+
function parsePortWithFallback(value, fallback) {
|
|
2466
|
+
return parsePort(value) ?? fallback;
|
|
2467
|
+
}
|
|
2468
|
+
function registerNodeCli(program) {
|
|
2469
|
+
const node = program.command("node").description("Run and manage the headless node host service").addHelpText("after", () => `\n${theme.heading("Examples:")}\n${formatHelpExamples([
|
|
2470
|
+
["moldclaw node run --host 127.0.0.1 --port 28789", "Run the node host in the foreground."],
|
|
2471
|
+
["moldclaw node status", "Check node host service status."],
|
|
2472
|
+
["moldclaw node install", "Install the node host service."],
|
|
2473
|
+
["moldclaw node restart", "Restart the installed node host service."]
|
|
2474
|
+
])}\n\n${theme.muted("Docs:")} ${formatDocsLink("/cli/node", "docs.moldclaw.ai/cli/node")}\n`);
|
|
2475
|
+
node.command("run").description("Run the headless node host (foreground)").option("--host <host>", "Gateway host").option("--port <port>", "Gateway port").option("--tls", "Use TLS for the gateway connection", false).option("--tls-fingerprint <sha256>", "Expected TLS certificate fingerprint (sha256)").option("--node-id <id>", "Override node id (clears pairing token)").option("--display-name <name>", "Override node display name").action(async (opts) => {
|
|
2476
|
+
const existing = await loadNodeHostConfig();
|
|
2477
|
+
await runNodeHost({
|
|
2478
|
+
gatewayHost: opts.host?.trim() || existing?.gateway?.host || "127.0.0.1",
|
|
2479
|
+
gatewayPort: parsePortWithFallback(opts.port, existing?.gateway?.port ?? 28789),
|
|
2480
|
+
gatewayTls: Boolean(opts.tls) || Boolean(opts.tlsFingerprint),
|
|
2481
|
+
gatewayTlsFingerprint: opts.tlsFingerprint,
|
|
2482
|
+
nodeId: opts.nodeId,
|
|
2483
|
+
displayName: opts.displayName
|
|
2484
|
+
});
|
|
2485
|
+
});
|
|
2486
|
+
node.command("status").description("Show node host status").option("--json", "Output JSON", false).action(async (opts) => {
|
|
2487
|
+
await runNodeDaemonStatus(opts);
|
|
2488
|
+
});
|
|
2489
|
+
node.command("install").description("Install the node host service (launchd/systemd/schtasks)").option("--host <host>", "Gateway host").option("--port <port>", "Gateway port").option("--tls", "Use TLS for the gateway connection", false).option("--tls-fingerprint <sha256>", "Expected TLS certificate fingerprint (sha256)").option("--node-id <id>", "Override node id (clears pairing token)").option("--display-name <name>", "Override node display name").option("--runtime <runtime>", "Service runtime (node|bun). Default: node").option("--force", "Reinstall/overwrite if already installed", false).option("--json", "Output JSON", false).action(async (opts) => {
|
|
2490
|
+
await runNodeDaemonInstall(opts);
|
|
2491
|
+
});
|
|
2492
|
+
node.command("uninstall").description("Uninstall the node host service (launchd/systemd/schtasks)").option("--json", "Output JSON", false).action(async (opts) => {
|
|
2493
|
+
await runNodeDaemonUninstall(opts);
|
|
2494
|
+
});
|
|
2495
|
+
node.command("stop").description("Stop the node host service (launchd/systemd/schtasks)").option("--json", "Output JSON", false).action(async (opts) => {
|
|
2496
|
+
await runNodeDaemonStop(opts);
|
|
2497
|
+
});
|
|
2498
|
+
node.command("restart").description("Restart the node host service (launchd/systemd/schtasks)").option("--json", "Output JSON", false).action(async (opts) => {
|
|
2499
|
+
await runNodeDaemonRestart(opts);
|
|
2500
|
+
});
|
|
2501
|
+
}
|
|
2502
|
+
//#endregion
|
|
2503
|
+
export { registerNodeCli };
|